├── sample_configs ├── sonic1.wri ├── ec2.txt ├── asa9.txt ├── pix1.txt ├── asa3.txt ├── asa2.txt ├── asa4.txt ├── asa5.txt ├── ipv6_test.txt └── asa1.txt ├── LICENSE ├── lib ├── common │ ├── errors.rb │ ├── ui.rb │ ├── vulnerability.rb │ └── config.rb ├── analyze │ ├── cisco_checks.rb │ ├── sonic_checks.rb │ ├── rules.rb │ └── remote_admin.rb ├── parse.rb ├── parse │ ├── ec2.rb │ ├── sonic.rb │ └── cisco.rb ├── analyze.rb ├── report │ ├── htmltable.rb │ ├── xml.rb │ └── html.rb ├── report.rb └── common.rb ├── config └── template.html ├── README.md └── prometheus.rb /sample_configs/sonic1.wri: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/averagesecurityguy/prometheus/HEAD/sample_configs/sonic1.wri -------------------------------------------------------------------------------- /sample_configs/ec2.txt: -------------------------------------------------------------------------------- 1 | GROUP Id Owner Name Description VpcID 2 | GROUP sg-adfb4dc5 715550992868 default default group 3 | PERMISSION 715550992868 default ALLOWS tcp 0 65535 FROM USER 715550992868 NAME default ID sg-adfb4dc5 ingress 4 | PERMISSION 715550992868 default ALLOWS udp 0 65535 FROM USER 715550992868 NAME default ID sg-adfb4dc5 ingress 5 | PERMISSION 715550992868 default ALLOWS icmp -1 -1 FROM USER 715550992868 NAME default ID sg-adfb4dc5 ingress 6 | GROUP sg-67f84e0f 715550992868 quick-start-1 quick-start-1 7 | PERMISSION 715550992868 quick-start-1 ALLOWS tcp 3389 3389 FROM CIDR 0.0.0.0/0 ingress 8 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Prometheus Firewall Analyzer 2 | Copyright (C) 2012 Stephen Haywood (AverageSecurityGuy) 3 | 4 | This program is free software; you can redistribute it and/or modify 5 | it under the terms of the GNU General Public License as published by 6 | the Free Software Foundation; either version 2 of the License, or 7 | (at your option) any later version. 8 | 9 | This program is distributed in the hope that it will be useful, 10 | but WITHOUT ANY WARRANTY; without even the implied warranty of 11 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 12 | GNU General Public License for more details. 13 | 14 | You should have received a copy of the GNU General Public License along 15 | with this program; if not, write to the Free Software Foundation, Inc., 16 | 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 17 | -------------------------------------------------------------------------------- /lib/common/errors.rb: -------------------------------------------------------------------------------- 1 | module PrometheusErrors 2 | 3 | ## 4 | # Generic error class for Prometheus. Use this for Prometheus specific 5 | # errors that do not fit in the other classes. 6 | class PrometheusError < StandardError 7 | attr_accessor :reason 8 | 9 | def initialize(reason = '') 10 | self.reason = reason 11 | end 12 | 13 | def to_s 14 | "Prometheus Error: #{self.reason}" 15 | end 16 | end 17 | 18 | ## 19 | # Use this for any error specifically related to generating the report. 20 | class ReportError < PrometheusError 21 | def to_s 22 | "Report Error: #{self.reason}" 23 | end 24 | end 25 | 26 | ## 27 | # Use this for any error specifically related to analyzing the firewall 28 | # configuration. 29 | class AnalysisError < PrometheusError 30 | def to_s 31 | "Analysis Error: #{self.reason}" 32 | end 33 | end 34 | 35 | ## 36 | # Use this for any erro specifically related to parsing the firewall 37 | # configuration. 38 | class ParseError < PrometheusError 39 | def to_s 40 | return "Parse Error: #{self.reason}" 41 | end 42 | end 43 | 44 | end 45 | -------------------------------------------------------------------------------- /lib/analyze/cisco_checks.rb: -------------------------------------------------------------------------------- 1 | ## 2 | # Wrapper function to call each of the cisco checks. 3 | def analyze_cisco_firewall(config) 4 | vulns = [] 5 | 6 | vuln = check_type7(config) 7 | if vuln then vulns.concat(vuln) end 8 | 9 | return vulns 10 | end 11 | 12 | ## 13 | # Input: A plain-text firewall config 14 | # 15 | # Output: A list of Analyze::Vulnerability objects 16 | # 17 | # Action: Check for user accounts using type 7 passwords. 18 | def check_type7(config) 19 | 20 | vprint_status("Checking for type 7 passwords.") 21 | 22 | affected = [] 23 | 24 | config.each_line do |line| 25 | if line =~ /password 7 (.*)$/ 26 | affected.concat($1) 27 | end 28 | end 29 | 30 | vuln = nil 31 | 32 | if not affected.empty? 33 | vuln = Analysis::Vulnerability.new("Cisco Type 7 Passwords") 34 | vuln.severity = 'high' 35 | 36 | vuln.desc = "The following users have type 7 passwords, which are " 37 | vuln.desc << "trivial to decode." 38 | 39 | vuln.solution = "Configure each user to use a type 5 password using " 40 | vuln.solution << "command username secret 0 password. " 41 | 42 | # Add column names to the list of affected interfaces. 43 | vuln.affected = [['User Name']].concat(affected) 44 | end 45 | 46 | return vuln 47 | 48 | end -------------------------------------------------------------------------------- /lib/analyze/sonic_checks.rb: -------------------------------------------------------------------------------- 1 | ## 2 | # Wrapper function to call each of the cisco checks. 3 | def analyze_sonic_firewall(config) 4 | vulns = [] 5 | 6 | # vulns.concat() 7 | 8 | return vulns 9 | end 10 | 11 | ## 12 | # Input: A plain-text firewall config 13 | # 14 | # Output: A list of Analyze::Vulnerability objects 15 | # 16 | # Action: Check for user accounts using type 7 passwords. 17 | #def check_type7(config) 18 | # 19 | # vprint_status("Checking for type 7 passwords.") 20 | # 21 | # vulns = [] 22 | # affected = [] 23 | # 24 | # config.each_line do |line| 25 | # if line =~ /password 7 (.*)$/ 26 | # affected.concat($1) 27 | # end 28 | # end 29 | # 30 | # vulns.append(type7_vulnerability(affected)) 31 | # return vulns 32 | # 33 | #end 34 | 35 | ## 36 | # Input: A list of affected users. 37 | # 38 | # Output: An Analyze::Vulnerability object. 39 | # 40 | # Action: Create an Analyze::Vulnerability object with the list of usernames. 41 | #def type7_vulnerability(affected) 42 | # 43 | # vuln = nil 44 | # 45 | # if not affected.empty? 46 | # vuln = Analysis::Vulnerability.new("Cisco Type 7 Passwords") 47 | # vuln.severity = 'high' 48 | # 49 | # vuln.desc = "The following users have type 7 passwords, which are " 50 | # vuln.desc << "trivial to decode." 51 | # 52 | # vuln.solution = "Configure each user to use a type 5 password using " 53 | # vuln.solution << "command username secret 0 password. " 54 | # 55 | # # Add column names to the list of affected interfaces. 56 | # vuln.affected = [['User Name']].concat(affected) 57 | # end 58 | # 59 | # return vuln 60 | #end -------------------------------------------------------------------------------- /lib/parse.rb: -------------------------------------------------------------------------------- 1 | #----------------------------------------------------------------------------- 2 | # This module is used to call the appropriate firewall parser based on the 3 | # config type. The code for each parser should be in separate ruby file within 4 | # lib/parse folder and should be 'required' below. An appropriate config file 5 | # check and a call to the associated parser should be added to the 6 | # parse_firewall method below. Each parser is expected to take a configuration 7 | # file and return a FWFWConfig::FirewallConfig object. 8 | #----------------------------------------------------------------------------- 9 | require 'parse/sonic' 10 | require 'parse/cisco' 11 | require 'parse/ec2' 12 | 13 | ## 14 | # Input: A firewall configuration file 15 | # 16 | # Output: A FWConfig::FirewallConfig object 17 | # 18 | # Action: Checks the config to determine the firewall type, and then calls the 19 | # appropriate parsing function. 20 | def parse_firewall(config) 21 | 22 | if config =~ /ASA Version/m 23 | print_status("Parsing ASA configuration file.") 24 | return parse_cisco_config(config) 25 | elsif config =~ /PIX Version/m 26 | print_status("Parsing PIX configuration file.") 27 | return parse_cisco_config(config) 28 | elsif config =~ /Sonic/m 29 | print_status("Parsing SonicWALL configuration.") 30 | return parse_sonic_config(config) 31 | elsif config =~ /GROUP\sId\sOwner\sName\sDescription\sVpcID/ 32 | print_status("Parsing Amazon EC2 configuration.") 33 | return parse_ec2_config(config) 34 | else 35 | raise ParseError.new("Unknown firewall type.") 36 | end 37 | 38 | end 39 | -------------------------------------------------------------------------------- /lib/common/ui.rb: -------------------------------------------------------------------------------- 1 | module PrometheusUI 2 | 3 | # Do we have color support? 4 | $color = true 5 | 6 | ## 7 | # The UI uses color-coded status messages, which work fine on *nix boxes 8 | # but requires extra modules on Windows. Check to see if we are on 9 | # Windows. If so, continue without color support. 10 | if RUBY_PLATFORM =~ /win32/ or RUBY_PLATFORM =~ /mingw32/ 11 | 12 | $color = false 13 | end 14 | 15 | ## 16 | # Use ANSI encoding to colorize text. 17 | def colorize(text, color_code) 18 | "#{color_code}#{text}\033[0m" 19 | end 20 | 21 | def red(text); colorize(text, "\033[31m"); end 22 | def green(text); colorize(text, "\033[32m"); end 23 | def blue(text); colorize(text, "\033[34m"); end 24 | 25 | ## 26 | # Print status messages. 27 | def print_status(msg) 28 | if $color 29 | puts blue("[*] ") + msg 30 | else 31 | puts "[*] " + msg 32 | end 33 | end 34 | 35 | ## 36 | # Print error messages. 37 | def print_error(msg) 38 | if $color 39 | puts red("[-] ") + msg 40 | else 41 | puts "[-] " + msg 42 | end 43 | end 44 | 45 | ## 46 | # Print success messages. 47 | def print_good(msg) 48 | if $color 49 | puts green("[+]") + msg 50 | else 51 | puts "[+] " + msg 52 | end 53 | end 54 | 55 | ## 56 | # Print line 57 | def print_line(msg) 58 | puts msg 59 | end 60 | 61 | ## 62 | # Print status messages if verbose is true 63 | def vprint_status(msg) 64 | if $verbose || $debug then print_status(msg) end; 65 | end 66 | 67 | ## 68 | # Print error messages if verbose is true 69 | def vprint_error(msg) 70 | if $verbose || $debug then print_error(msg) end; 71 | end 72 | 73 | ## 74 | # Print success messages if verbose is true 75 | def vprint_good(msg) 76 | if $verbose || $debug then print_good(msg) end; 77 | end 78 | 79 | ## 80 | # Print debug messages if debug is true 81 | def print_debug(msg) 82 | if $debug 83 | puts '[debug] ' + msg 84 | end 85 | end 86 | 87 | end 88 | 89 | -------------------------------------------------------------------------------- /config/template.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | Prometheus Firewall Analyzer Report 5 | 6 | 78 | 79 | 80 | 81 | 82 |
83 |

Firewall Analysis Report For --name--

84 | 85 |
86 |

Configuration Analysis Summary

87 | --summary_statement-- 88 | 89 |

Vulnerabilities

90 | --analysis-- 91 | 92 |

Configuration

93 | --interfaces-- 94 | 95 | --management-- 96 | 97 | --access_lists-- 98 | 99 | --host_names-- 100 | 101 | --network_names-- 102 | 103 | --service_names-- 104 | 105 |
106 |
107 | 108 | 109 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | Installing Prometheus 2 | ===================== 3 | Prometheus is a Ruby application and will run on any system running a recent 4 | version (1.8.7 or higher) of Ruby. To install Prometheus use the following 5 | steps: 6 | 7 | 1. Create a directory called prometheus. 8 | 2. Extract the prometheus files into the directory. 9 | 3. CD into the prometheus directory and run ./prometheus.rb -h 10 | 11 | How to Use Prometheus 12 | ===================== 13 | To use Prometheus, specify a configuration file to parse using the -c option. 14 | Prometheus defaults to creating an HTML report in the current directory using 15 | the default HTML template. To specify a custom template, use the -t option. 16 | If you are using Prometheus Pro, then use the -f option to specify an 17 | alternative report format. Currently, XML is the only alternative. 18 | 19 | Usage: ./prometheus.rb -c config_file [options] 20 | -c, --config_file FILE Firewall configuration to parse. 21 | -r, --report_file FILE Report file to write. 22 | -f, --format FORMAT Report format to use. 23 | -t, --template FILE File to use as template. 24 | -v, --verbose Print verbose output. 25 | -d, --debug Print debug output (very verbose). 26 | -h, --help Display this screen 27 | 28 | How To Use A Custom HTML Template 29 | ================================= 30 | To use a custom template, first, create an HTML file and place tags in the 31 | file to tell Prometheus where to insert the configuration and vulnerability 32 | elements. Currently, Prometheus supports the following tags: 33 | 34 | --name-- Firewall name. 35 | --type-- Firewall type. 36 | --firmware-- Firmware version. 37 | --summary_statement-- Summary statement. 38 | --analysis-- Identified vulnerabilities. 39 | --interfaces-- Firewall interfaces. 40 | --management-- Management interfaces. 41 | --access_lists-- Access control lists. 42 | --host_names-- List of host names (Professional only). 43 | --network_names-- List of network names (Professional only). 44 | --service_names-- List of service names (Professional only). 45 | 46 | Next, specify the custom template to use with the -t option. To see an example 47 | of how to build a custom template, look at the default HTML template, 48 | template.html, in the config directory. It is recommended that you not modify 49 | template.html unless you make a backup copy first. 50 | -------------------------------------------------------------------------------- /sample_configs/asa9.txt: -------------------------------------------------------------------------------- 1 | !--- A config file with STD and Extended ACLs 2 | ASA Version 9.1(5)2 3 | ! 4 | hostname ASA 5 | domain-name cisco.com 6 | 7 | interface GigabitEthernet0/0 8 | nameif inside 9 | security-level 100 10 | ip address 172.16.5.10 255.255.255.0 11 | ! 12 | interface GigabitEthernet0/1 13 | nameif outside 14 | security-level 0 15 | ip address 203.0.113.2 255.255.255.0 16 | 17 | !--- AAA for the SSH configuration 18 | 19 | username ciscouser password 3USUcOPFUiMCO4Jk encrypted 20 | aaa authentication ssh console LOCAL 21 | 22 | http server enable 23 | http 172.16.5.0 255.255.255.0 inside 24 | no snmp-server location 25 | no snmp-server contact 26 | snmp-server enable traps snmp authentication linkup linkdown coldstar 27 | telnet timeout 5 28 | 29 | !--- Enter this command for each address or subnet 30 | !--- to identify the IP addresses from which 31 | !--- the security appliance accepts connections. 32 | !--- The security appliance accepts SSH connections from all interfaces. 33 | 34 | ssh 172.16.5.20 255.255.255.255 inside 35 | ssh 198.51.100.70 255.255.255.255 outside 36 | 37 | !--- Allows the users on the host 172.16.5.20 on inside 38 | !--- Allows SSH access to the user on internet 198.51.100.70 on outside 39 | !--- to access the security appliance 40 | !--- on the inside interface. 41 | 42 | ssh 172.16.5.20 255.255.255.255 inside 43 | 44 | !--- Sets the duration from 1 to 60 minutes 45 | !--- (default 5 minutes) that the SSH session can be idle, 46 | !--- before the security appliance disconnects the session. 47 | 48 | ssh timeout 60 49 | 50 | console timeout 0 51 | ! 52 | class-map inspection_default 53 | match default-inspection-traffic 54 | ! 55 | ! 56 | policy-map global_policy 57 | class inspection_default 58 | inspect dns maximum-length 512 59 | inspect ftp 60 | inspect h323 h225 61 | inspect h323 ras 62 | inspect netbios 63 | inspect rsh 64 | inspect rtsp 65 | inspect skinny 66 | inspect esmtp 67 | inspect sqlnet 68 | inspect sunrpc 69 | inspect tftp 70 | inspect sip 71 | inspect xdmcp 72 | ! 73 | service-policy global_policy global 74 | 75 | interface GigabitEthernet0/1 76 | ip access-group 102 in 77 | ! 78 | access-list 102 permit tcp any host 192.168.1.100 eq ftp 79 | access-list 102 permit tcp any host 192.168.1.100 eq ftp-data established 80 | ! 81 | !--- A basic ACL 82 | interface GigabitEthernet0/1 83 | ip access-group 110 in 84 | ! 85 | access-list 110 permit host 192.168.1.100 eq ftp any established 86 | access-list 110 permit host 192.168.1.100 eq ftp-data any 87 | 88 | !--- An extended ACL 89 | interface GigabitEthernet0/1 90 | ip address 172.16.1.2 255.255.255.0 91 | ip access-group 101 in 92 | access-list 101 deny icmp any 10.1.1.0 0.0.0.255 echo 93 | access-list 101 permit ip any 10.1.1.0 0.0.0.255 -------------------------------------------------------------------------------- /lib/parse/ec2.rb: -------------------------------------------------------------------------------- 1 | ## 2 | # Input: A plain-text EC2 Security Group file obtained using ec2-describe-group -H 3 | # 4 | # Output: A FWConfig::FirewallConfig object 5 | # 6 | # Action: Parse the config line by line and update the appropriate parts of 7 | # the FWConfig::Firewall object 8 | def parse_ec2_config(config) 9 | 10 | fw = FWConfig::FirewallConfig.new 11 | 12 | ## 13 | # Read through each line of the configuration file, use regex to identify 14 | # the relevant parts of the config file, and update the FWConfig::Firewall 15 | # object as necessary. 16 | config.each_line do |line| 17 | rule_count = 0 18 | 19 | line.chomp! 20 | next if line =~ /^GROUP\sId\sOwner\sName\sDescription\sVpcID$/ 21 | 22 | # EC2 security group file does not have a host name associated 23 | # associated with it. 24 | if line =~ /^GROUP/ 25 | fw.name = line.split("\t")[2] 26 | print_debug("Processing firewall #{fw.name}") 27 | end 28 | fw.type = 'EC2' 29 | 30 | # Build a list of AccessList objects. EC2 access lists have both 31 | # a name and an ID. We will collect both for the access-list name 32 | if line =~ /^GROUP/ then 33 | arr = line.split("\t") 34 | id = arr[1] 35 | name = arr[3] 36 | 37 | vprint_status("Processing access control list.") 38 | print_debug("Name: #{name} \(#{id}\)") 39 | fw.access_lists << FWConfig::AccessList.new("#{name} (#{id})") 40 | 41 | # Reset the rule count when we get to a new group (access_list) 42 | rule_count = 0 43 | end 44 | 45 | if line =~ /^PERMISSION/ 46 | vprint_status("Processing rule") 47 | rule_count += 1 48 | arr = line.split("\t") 49 | print_debug("Rule: #{arr.join("::")}") 50 | rule = FWConfig::Rule.new(rule_count) 51 | rule.enabled = true 52 | rule.protocol = arr[4] 53 | 54 | # Set the action 55 | if arr[3] == 'ALLOWS' 56 | rule.action = 'Allow' 57 | else 58 | rule.action = 'Deny' 59 | end 60 | 61 | # Set rule source and destination 62 | if arr[8] == 'USER' 63 | print_debug("Source: #{arr[8,4].join(" ")}") 64 | rule.source = arr[8,4].join(" ") 65 | print_debug("Destination: #{arr[12]}") 66 | rule.dest = arr[12] 67 | elsif arr[8] == 'CIDR' 68 | print_debug("Source: #{arr[9]}") 69 | rule.source = arr[9] 70 | print_debug("Destination: #{arr[10]}") 71 | rule.dest = arr[10] 72 | end 73 | 74 | # Set rule service 75 | vprint_status("Processing service.") 76 | print_debug("Begin Port: #{arr[5]}") 77 | print_debug("End Port: #{arr[6]}") 78 | 79 | if arr[5] == arr[6] 80 | rule.service = arr[5] 81 | elsif ((arr[5] == '0') || (arr[6] == '65535')) 82 | rule.service = 'Any' 83 | else 84 | rule.service = "Range #{arr[5]} #{arr[6]}" 85 | end 86 | 87 | fw.access_lists.last.ruleset << rule 88 | 89 | end 90 | 91 | end 92 | 93 | return fw 94 | end 95 | 96 | -------------------------------------------------------------------------------- /lib/analyze.rb: -------------------------------------------------------------------------------- 1 | #----------------------------------------------------------------------------- 2 | # This module is used to call each of the firewall checks. The code for each 3 | # check should be in a separate ruby file within the lib/analyze folder and 4 | # should be 'required' below. Each check is expected to take as its input all 5 | # or part of a FWConfig::Firewall object and should return a list of 6 | # Analyze::Vulnerability objects, which will be added to the master list and 7 | # then separated by severity. 8 | #----------------------------------------------------------------------------- 9 | 10 | require 'analyze/rules' 11 | require 'analyze/remote_admin' 12 | require 'analyze/cisco_checks' 13 | require 'analyze/sonic_checks' 14 | 15 | ## 16 | # Input: A populated FWConfig::Firewall object or a plain-text config file. 17 | # 18 | # Output: Three lists of Analyze::Vulnerability objects, corresponding to the 19 | # severity levels high, medium, and low. 20 | # 21 | # Action: Calls each firewall check and concatenates the list of 22 | # vulnerabilities identified by each check into a master list of 23 | # vulnerabilities. The master list is then separated into three lists, which 24 | # are used to populate an Analyze::Summary object. 25 | def analyze_firewall(firewall, config) 26 | print_status("Analyzing firewall configuration.") 27 | 28 | vulns = [] 29 | 30 | # Run checks on firewall rules 31 | print_status("Checking firewall rules.") 32 | vulns.concat(analyze_firewall_rules(firewall.access_lists)) 33 | 34 | # Run checks on remote administration 35 | print_status("Checking remote administration.") 36 | vulns.concat(analyze_remote_administration(firewall.interfaces)) 37 | 38 | # Run firewall specific checks 39 | if firewall.type == 'ASA' or firewall.type == 'PIX' 40 | vulns.concat(analyze_cisco_firewall(config)) 41 | end 42 | 43 | if firewall.type == 'SonicOS' 44 | vulns.concat(analyze_sonic_firewall(config)) 45 | end 46 | 47 | # Analysis is a Hash with vulnerability lists keyed on severity 48 | highs, meds, lows = split_by_severity(vulns) 49 | 50 | # analysis is an Analysis::Summary object that holds the list of high, med 51 | # and low vulnerabilities along with the count of vulnerabilities. 52 | analysis = Analysis::Summary.new(highs, meds, lows) 53 | 54 | return analysis 55 | end 56 | 57 | 58 | ## 59 | # Input: A list of Analyze::Vulnerability objects 60 | # 61 | # Output: Three lists of Analyze::Vulnerability objects 62 | # 63 | # Action: Separates a list of Analyze::Vulnerability objects based on severity. 64 | def split_by_severity(vulns) 65 | 66 | high = [] 67 | med = [] 68 | low = [] 69 | 70 | vulns.each do |v| 71 | if v 72 | if v.severity == 'high' then high << v end 73 | if v.severity == 'medium' then med << v end 74 | if v.severity == 'low' then low << v end 75 | end 76 | end 77 | 78 | return high, med, low 79 | end 80 | -------------------------------------------------------------------------------- /sample_configs/pix1.txt: -------------------------------------------------------------------------------- 1 | : Saved 2 | : Written by enable_15 at 00:04:07.873 UTC Fri Jan 1 1993 3 | ! 4 | PIX Version 8.0(4) 5 | ! 6 | hostname EITS1 7 | domain-name lab.lab 8 | enable password encrypted 9 | passwd encrypted 10 | names 11 | ! 12 | interface Ethernet0 13 | shutdown 14 | no nameif 15 | no security-level 16 | no ip address 17 | ! 18 | interface Ethernet1 19 | nameif inside 20 | security-level 100 21 | ip address 192.168.1.100 255.255.255.0 22 | ! 23 | interface Ethernet2 24 | shutdown 25 | no nameif 26 | no security-level 27 | no ip address 28 | ! 29 | interface Ethernet3 30 | shutdown 31 | no nameif 32 | no security-level 33 | no ip address 34 | ! 35 | interface Ethernet4 36 | shutdown 37 | no nameif 38 | no security-level 39 | no ip address 40 | ! 41 | interface Ethernet5 42 | shutdown 43 | no nameif 44 | no security-level 45 | no ip address 46 | ! 47 | ftp mode passive 48 | dns server-group DefaultDNS 49 | domain-name lab.lab.com 50 | pager lines 24 51 | mtu inside 1500 52 | no failover 53 | icmp unreachable rate-limit 1 burst-size 1 54 | asdm image flash:/asdm-61551.bin 55 | no asdm history enable 56 | arp timeout 14400 57 | timeout xlate 3:00:00 58 | timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 59 | timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 60 | timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 61 | timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute 62 | dynamic-access-policy-record DfltAccessPolicy 63 | http server enable 64 | http 192.168.1.0 255.255.255.0 inside 65 | no snmp-server location 66 | no snmp-server contact 67 | snmp-server enable traps snmp authentication linkup linkdown coldstart 68 | crypto ipsec security-association lifetime seconds 28800 69 | crypto ipsec security-association lifetime kilobytes 4608000 70 | telnet timeout 5 71 | ssh timeout 5 72 | console timeout 0 73 | threat-detection basic-threat 74 | threat-detection statistics access-list 75 | no threat-detection statistics tcp-intercept 76 | ! 77 | class-map inspection_default 78 | match default-inspection-traffic 79 | ! 80 | ! 81 | policy-map type inspect dns preset_dns_map 82 | parameters 83 | message-length maximum 512 84 | policy-map global_policy 85 | class inspection_default 86 | inspect dns preset_dns_map 87 | inspect ftp 88 | inspect h323 h225 89 | inspect h323 ras 90 | inspect netbios 91 | inspect rsh 92 | inspect rtsp 93 | inspect skinny 94 | inspect esmtp 95 | inspect sqlnet 96 | inspect sunrpc 97 | inspect tftp 98 | inspect sip 99 | inspect xdmcp 100 | ! 101 | service-policy global_policy global 102 | prompt hostname context 103 | Cryptochecksum:d5089d09e2a68a7421e5c9f1dd02bcb2 104 | : end 105 | -------------------------------------------------------------------------------- /lib/report/htmltable.rb: -------------------------------------------------------------------------------- 1 | #----------------------------------------------------------------------------- 2 | # This is a generic method for creating HTML tables. It is modeled after the 3 | # Table module used by REX in the Metasploit program. 4 | #----------------------------------------------------------------------------- 5 | module HTMLTable 6 | 7 | class Table 8 | 9 | attr_accessor :header, :columns, :rows 10 | 11 | ## 12 | # Input: A hash containing the options for building the table 13 | # 14 | # Output: A new HTMLTable::Table object. 15 | def initialize(opts={}) 16 | self.header = opts['Header'] 17 | self.columns = opts['Columns'] || [] 18 | self.rows = [] 19 | end 20 | 21 | ## 22 | # Create a new table using the header, columns and rows. 23 | def to_html() 24 | 25 | html = "
\n" 26 | 27 | # Add the header if one exists 28 | if self.header 29 | html << "

#{self.header}

\n" 30 | end 31 | 32 | # Ensure the number of columns is the same as the number of items in 33 | # each row. 34 | if self.columns.length != self.rows[0].length 35 | raise ReportError.new("HTML Report: Row length and Column length do not match.") 36 | end 37 | 38 | # Open the table 39 | html << "\n" 40 | 41 | # Add column row to the table 42 | if self.columns 43 | html << html_row(self.columns, true) 44 | end 45 | 46 | # Add each of the data rows to the table 47 | self.rows.each do |row| 48 | html << html_row(row) 49 | end 50 | 51 | # Close out the table 52 | html << "
\n
\n" 53 | 54 | return html 55 | end 56 | 57 | ## 58 | # Create a table row. If this is a header row then use the tags else 59 | # use the tags. 60 | def html_row(vals, head=false) 61 | head ? open = '' : open = '' 62 | head ? close = '' : close = '' 63 | 64 | # Create an individual row. 65 | row = "" 66 | spans = get_row_spans(vals) 67 | spans.each do |s| 68 | row << html_cell(open, close, s[0], s[1]) 69 | end 70 | row << "\n" 71 | 72 | return row 73 | end 74 | 75 | ## 76 | # Create a table cell with the appropriate colspan. 77 | def html_cell(open, close, data, span) 78 | # Create a cell 79 | cell = '' 80 | 81 | if span > 1 82 | cell << open.gsub(/>/, " colspan=\"#{span}\">") 83 | else 84 | cell << open 85 | end 86 | 87 | if data == '' then cell << ' ' else cell << data.to_s end 88 | cell << close 89 | 90 | return cell 91 | end 92 | 93 | ## 94 | # An individual piece of data can span mulitple columns. Read through the 95 | # data values, any data value set to nil represents an increase in the 96 | # colspan for the previous data value. 97 | def get_row_spans(vals) 98 | spans = [] 99 | vals.each do |v| 100 | if v then spans << [v, 1] end 101 | if v == nil then spans.last[1] += 1 end 102 | end 103 | return spans 104 | end 105 | 106 | end 107 | end 108 | -------------------------------------------------------------------------------- /lib/analyze/rules.rb: -------------------------------------------------------------------------------- 1 | ## 2 | # Input: A list of FWConfig::AccessList objects 3 | # 4 | # Output: A list of vulnerabilty objects. 5 | # 6 | # Action: The rules in each FWConfig::AccessList object is analyzed for excessive 7 | # permissions. The source, destination, and service are checked for the 'Any' 8 | # permission. The more 'Any' permissions, the higher the severity of the 9 | # vulnerability. 10 | # 11 | def analyze_firewall_rules(acls) 12 | 13 | vulns = [] 14 | high = [] 15 | medium = [] 16 | low = [] 17 | 18 | acls.each do |acl| 19 | acl.ruleset.each do |rule| 20 | score = 0 21 | if (rule.enabled? && rule.action == 'Allow') 22 | if rule.source == 'Any' then score += 1 end 23 | if rule.dest == 'Any' then score += 1 end 24 | if rule.service == 'Any' then score += 1 end 25 | end 26 | if score == 3 then high << [acl.name, rule.num, rule.source, 27 | rule.dest, rule.service] end 28 | if score == 2 then medium << [acl.name, rule.num, rule.source, 29 | rule.dest, rule.service] end 30 | if score == 1 then low << [acl.name, rule.num, rule.source, 31 | rule.dest, rule.service] end 32 | end 33 | end 34 | 35 | vprint_status("Analyzing rules for high-severity vulnerabilities.") 36 | vulns << create_vulnerability('high', high) 37 | 38 | vprint_status("Analyzing rules for medium-severity vulnerabilities.") 39 | vulns << create_vulnerability('medium', medium) 40 | 41 | vprint_status("Analyzing rules for low-severity vulnerabilities.") 42 | vulns << create_vulnerability('low', low) 43 | 44 | return vulns 45 | end 46 | 47 | 48 | ## 49 | # Input: A severity rating and a list of affected rules. 50 | # 51 | # Output: An Analysis::Vulnerability object. 52 | # 53 | # Action: Create an Analysis::Vulnerability object with a description based on 54 | # the severity rating. 55 | def create_vulnerability(sev, affected) 56 | 57 | vuln = nil 58 | unless affected.empty? 59 | vuln = Analysis::Vulnerability.new("Overly Permissive Rules") 60 | 61 | vuln.severity = sev 62 | 63 | vuln.desc = "The following rules have #{sev}-severity vulnerabilities, " 64 | vuln.desc << "which means traffic is " 65 | 66 | case sev 67 | when "high" 68 | vuln.desc << "completely unrestricted because the source, destination, " 69 | vuln.desc << "and service are set to 'Any'." 70 | when "medium" 71 | vuln.desc << "mostly unrestricted because at least two of either the " 72 | vuln.desc << "source, destination, or service is set to 'Any'." 73 | when "low" 74 | vuln.desc << "only somewhat restricted because one of either the " 75 | vuln.desc << "source, destination, or service is set to 'Any'." 76 | end 77 | 78 | vuln.solution = "Rules that make use of 'Any' in the source, " 79 | vuln.solution << "destination, or service are typically not sufficiently " 80 | vuln.solution << "restrictive and should be reviewed to ensure they are " 81 | vuln.solution << "only as permissive as necessary." 82 | 83 | cols = ['Access List', 'Rule #', 'Source', 'Destination', 'Service'] 84 | vuln.affected = [cols].concat(affected) 85 | end 86 | 87 | return vuln 88 | end 89 | -------------------------------------------------------------------------------- /prometheus.rb: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env ruby 2 | 3 | # Copyright 2012 Stephen Haywood aka AverageSecurityGuy 4 | # All rights reserved see LICENSE file. 5 | 6 | # Tell Ruby to look in the lib folder for include files 7 | base = __FILE__ 8 | while File.symlink?(base) 9 | base = File.expand_path(File.readlink(base), File.dirname(base)) 10 | end 11 | 12 | $:.unshift(File.join(File.dirname(base), 'lib')) 13 | $base_dir = File.dirname(base) 14 | 15 | # Set the version number 16 | version = '2.0.4' 17 | 18 | # Setup optparse to handle command line arguments. 19 | require 'optparse' 20 | 21 | options = {} 22 | optparse = OptionParser.new do |opts| 23 | # Usage banner 24 | opts.banner = "Usage: ./prometheus.rb -c config_file [options]" 25 | 26 | # Firewall configuration file 27 | options[:config] = "" 28 | opts.on( '-c', '--config_file FILE', "Firewall configuration to parse." ) do|c| 29 | options[:config] = c 30 | end 31 | 32 | # Report output file 33 | options[:report] = nil 34 | opts.on( '-r', '--report_file FILE', "Report file to write." ) do |r| 35 | options[:report] = r 36 | end 37 | 38 | # Report format 39 | options[:format] = "html" 40 | opts.on( '-f', '--format FORMAT', "Report format to use." ) do |f| 41 | options[:format] = f 42 | end 43 | 44 | # Report template 45 | options[:template] = nil 46 | opts.on( '-t', '--template FILE', "File to use as template." ) do |t| 47 | options[:template] = t 48 | end 49 | 50 | # Verbose output 51 | options[:verbose] = false 52 | opts.on( '-v', '--verbose', "Print verbose output.") do |v| 53 | options[:verbose] = true 54 | end 55 | 56 | # Debug output 57 | options[:debug] = false 58 | opts.on( '-d', '--debug', "Print debug output (very verbose).") do |d| 59 | options[:debug] = true 60 | end 61 | 62 | # Display Version 63 | options[:version] = false 64 | opts.on( '-V', '--version', "Print version number.") do |ver| 65 | options[:version] = true 66 | end 67 | 68 | # This displays the help screen. 69 | opts.on( '-h', '--help', 'Display this screen' ) do 70 | puts opts 71 | exit 72 | end 73 | end 74 | 75 | optparse.parse! 76 | 77 | # Begin main program 78 | require 'common' 79 | require 'parse' 80 | require 'analyze' 81 | require 'report' 82 | 83 | include PrometheusErrors 84 | include PrometheusUI 85 | 86 | $verbose = options[:verbose] 87 | $debug = options[:debug] 88 | 89 | if options[:version] 90 | print_line("Prometheus version #{version}") 91 | exit(1) 92 | end 93 | 94 | print_status("Launching Prometheus version #{version}.") 95 | config = open_config_file(options[:config]) 96 | 97 | # Parse the firewall config 98 | begin 99 | firewall = parse_firewall(config) 100 | rescue ParseError => e 101 | print_error(e.message) 102 | exit(1) 103 | end 104 | 105 | # Analyze the firewall config 106 | begin 107 | analysis = analyze_firewall(firewall, config) 108 | rescue AnalysisError => e 109 | print_error(e.message) 110 | exit(1) 111 | end 112 | 113 | #Create report for firewall config and analysis 114 | begin 115 | report_firewall(firewall, analysis, options[:report], options[:format], options[:template] ) 116 | rescue ReportError => e 117 | print_error(e.message) 118 | exit(1) 119 | end -------------------------------------------------------------------------------- /lib/report.rb: -------------------------------------------------------------------------------- 1 | #----------------------------------------------------------------------------- 2 | # This module is used to call the appropriate report writer based on the -f 3 | # command line option. Supported report types are HTML and XML. The code for 4 | # each report should be in a separate ruby file within lib/report folder and 5 | # should be 'required' below. An appropriate format check and a call to the 6 | # associated reporting method should be added to the report_firewall method 7 | # below. Each report method is expected to take a FWConfig::Firewall object, a 8 | # Analysis::Summary object, and an optional template and is expected to return 9 | # a string containing the report. The report is then written to a file using 10 | # the save_report method. 11 | #----------------------------------------------------------------------------- 12 | require 'report/htmltable' 13 | require 'report/html' 14 | require 'report/xml' 15 | 16 | include Report::XMLReport 17 | include Report::HTMLReport 18 | 19 | ## 20 | # Takes a FWConfig::Firewall object a list of Analyze::Vulnerability objects an 21 | # output filename, a report format, and a template file name. Creates a report 22 | # in the specified format using the specified template file (for HTML format). 23 | # Calls save_report to write the report to disk. 24 | 25 | def report_firewall(firewall, analysis, filename, format, template) 26 | 27 | report = nil 28 | outfile = set_outfile_name(filename, format) 29 | templatefile = set_template_name(template, format) 30 | 31 | case format.downcase 32 | when "xml" 33 | report = generate_xml_report(firewall, analysis) 34 | when "html" 35 | report = generate_html_report(firewall, analysis, templatefile) 36 | else 37 | raise ReportError, "Unknown report format #{format}" 38 | end 39 | 40 | save_report(outfile, report) 41 | 42 | end 43 | 44 | ## 45 | # Takes a filename and a string representing a report and writes the report to 46 | # the file specified by filename. It creates the file if it does not exist and 47 | # overwrites the file if it does. 48 | 49 | def save_report(filename, report) 50 | print_status("Saving report to #{filename}.") 51 | file = ::File.open(filename, "w") 52 | file.write(report) 53 | file.close 54 | print_status("Report successfully written.") 55 | end 56 | 57 | ## 58 | # Takes a file name and report format and creates an appropriate default output 59 | # file name. The file name could be nil or it could be specified by the -f 60 | # command line option. If it is nil a default name will be given based on the 61 | # date, time and format. 62 | 63 | def set_outfile_name(filename, format) 64 | 65 | if filename then 66 | return filename 67 | else 68 | return "#{Time.now.to_i.to_s}.#{format.downcase}" 69 | end 70 | end 71 | 72 | 73 | ## 74 | # Takes a template name and a report format and creates the appropriate 75 | # template file name. The template name could be nil or it could be specified 76 | # with the -t command line option. It it is nil a default template name will 77 | # be returned based on the format. Otherwise the specified template name will 78 | # be returned. 79 | 80 | def set_template_name(template, format) 81 | 82 | if template then 83 | return template 84 | else 85 | return $base_dir + "/config/template.#{format.downcase}" 86 | end 87 | end 88 | -------------------------------------------------------------------------------- /lib/common.rb: -------------------------------------------------------------------------------- 1 | #----------------------------------------------------------------------------- 2 | # This module is used to import each of the common modules used throughout 3 | # the program. Any additional modules that are meant to be used throughout 4 | # the program should be added under the lib/common directory. The current 5 | # modules in use are: 6 | # 7 | # PrometheusErrors - defines ParseErrors, Report Errors and Analysis Errors 8 | # PrometheusUI - used to display color-coded status messages in the 9 | # terminal 10 | # Config - defines all the objects necessary for holding the 11 | # firewall configuration. 12 | # Vulnerability - defines a Vulnerabilty object and a Summary object. 13 | #----------------------------------------------------------------------------- 14 | require 'common/errors' 15 | require 'common/ui' 16 | require 'common/config' 17 | require 'common/vulnerability' 18 | 19 | def open_config_file(config_file) 20 | ## 21 | # Does the file exist? 22 | if not File.exists?(config_file) 23 | raise ParseError.new("Configuration file does not exist.") 24 | end 25 | 26 | ## 27 | # Is it a file? 28 | if not File.file?(config_file) 29 | raise ParseError.new("The configuration file is not a valid file.") 30 | end 31 | 32 | ## 33 | # Is it empty? 34 | if File.zero?(config_file) 35 | raise ParseError.new("The configuration file is empty.") 36 | end 37 | 38 | config = File.open(config_file) {|f| f.read} 39 | 40 | 41 | return config 42 | end 43 | 44 | ## 45 | # Input: a string that should contain an ip address 46 | # 47 | # Output: true or false 48 | # 49 | # Action: split the string into octets and check each octet to ensure 50 | # it is between 0 and 255. 51 | def is_ip?(str) 52 | is_ip = true 53 | 54 | o1, o2, o3, o4 = str_to_octet(str) 55 | if (o1 < 0 || o1 > 255) then is_ip = false end 56 | if (o2 < 0 || o2 > 255) then is_ip = false end 57 | if (o3 < 0 || o3 > 255) then is_ip = false end 58 | if (o4 < 0 || o4 > 255) then is_ip = false end 59 | 60 | return is_ip 61 | end 62 | 63 | ## 64 | # Input: a string that should contain a subnet mask 65 | # 66 | # Output: true or false 67 | # 68 | # Action: split the string into octets and ensure each octet is a 69 | # valid mask value and that each octet is ordered appropriately. 70 | def is_mask?(str) 71 | is_mask = false 72 | mask = [128, 192, 224, 240, 248, 252, 254, 255] 73 | 74 | o1, o2, o3, o4 = str_to_octet(str) 75 | if (mask.include?(o1) && o2 == 0 && o3 == 0 && o4 == 0) then is_mask = true end 76 | if (o1 == 255 && mask.include?(o2) && o3 == 0 && o4 == 0) then is_mask = true end 77 | if (o1 == 255 && o2 == 255 && mask.include?(o3) && o4 == 0) then is_mask = true end 78 | if (o1 == 255 && o2 == 255 && o3 == 255 && mask.include?(o4)) then is_mask = true end 79 | 80 | return is_mask 81 | end 82 | 83 | ## 84 | # Input: a string that should be in the form of a dotted quad 85 | # 86 | # Output: four integers representing the dotted quads 87 | # 88 | # Action: Split the string into four octets. If any of the octets are 89 | # nil then this is not a proper dotted quad, raise a parse error. 90 | def str_to_octet(str) 91 | o1, o2, o3, o4 = str.split(".") 92 | if (o1 && o2 && o3 && o4) 93 | return o1.to_i, o2.to_i, o3.to_i, o4.to_i 94 | else 95 | raise ParseError.new("String #{str} is not in dotted quad form.") 96 | end 97 | end 98 | -------------------------------------------------------------------------------- /sample_configs/asa3.txt: -------------------------------------------------------------------------------- 1 | show run 2 | : Saved 3 | : 4 | ASA Version 7.0(5) 5 | ! 6 | hostname ciscoasa 7 | enable password cisco 8 | names 9 | dns-guard 10 | ! 11 | interface GigabitEthernet0/0 12 | nameif outside 13 | security-level 0 14 | ip address 192.168.1.1 255.255.255.0 15 | ospf message-digest-key 1 md5 16 | ospf authentication message-digest 17 | ! 18 | interface GigabitEthernet0/1 19 | nameif inside 20 | security-level 100 21 | ip address 192.168.2.1 255.255.255.0 22 | ospf message-digest-key 1 md5 23 | ospf authentication message-digest 24 | ! 25 | interface GigabitEthernet0/2 26 | shutdown 27 | no nameif 28 | no security-level 29 | no ip address 30 | ! 31 | interface GigabitEthernet0/3 32 | shutdown 33 | no nameif 34 | no security-level 35 | no ip address 36 | ! 37 | interface Management0/0 38 | nameif management 39 | security-level 100 40 | no ip address 41 | management-only 42 | ! 43 | passwd cisco 44 | ftp mode passive 45 | pager lines 24 46 | logging asdm informational 47 | mtu management 1500 48 | mtu outside 1500 49 | mtu inside 1500 50 | no failover 51 | icmp permit any outside 52 | icmp permit any inside 53 | no asdm history enable 54 | arp timeout 14400 55 | static (inside,outside) 192.168.2.2 192.168.2.2 netmask 255.255.255.255 56 | ! 57 | router ospf 1 58 | network 192.168.1.0 255.255.255.0 area 0 59 | area 0 authentication message-digest 60 | log-adj-changes 61 | redistribute ospf 2 metric 11 subnets 62 | ! 63 | router ospf 2 64 | network 192.168.2.0 255.255.255.0 area 0 65 | area 0 authentication message-digest 66 | log-adj-changes 67 | redistribute ospf 1 metric 9 subnets 68 | ! 69 | timeout xlate 3:00:00 70 | timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 71 | timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 72 | timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00 73 | timeout uauth 0:05:00 absolute 74 | http server enable 75 | http 192.168.1.0 255.255.255.0 management 76 | no snmp-server location 77 | no snmp-server contact 78 | snmp-server enable traps snmp authentication linkup linkdown coldstart 79 | telnet timeout 5 80 | ssh timeout 5 81 | console timeout 0 82 | dhcpd lease 3600 83 | dhcpd ping_timeout 50 84 | Cryptochecksum:61e142f817190da00d365f2ef63ff97c 85 | : end 86 | ciscoasa(config)# 87 | ciscoasa(config)# 88 | ciscoasa(config)# show route 89 | 90 | O IA 172.16.2.254 255.255.255.255 [110/11] via 192.168.2.2, 3:21:21, inside 91 | O IA 172.16.3.254 255.255.255.255 [110/11] via 192.168.2.2, 3:21:21, inside 92 | O IA 172.16.1.254 255.255.255.255 [110/11] via 192.168.2.2, 3:21:21, inside 93 | O IA 172.16.4.254 255.255.255.255 [110/11] via 192.168.2.2, 3:21:21, inside 94 | O IA 10.0.4.254 255.255.255.255 [110/11] via 192.168.1.2, 3:21:21, outside 95 | O IA 10.0.1.254 255.255.255.255 [110/11] via 192.168.1.2, 3:21:21, outside 96 | O IA 10.0.2.254 255.255.255.255 [110/11] via 192.168.1.2, 3:21:21, outside 97 | O IA 10.0.3.254 255.255.255.255 [110/11] via 192.168.1.2, 3:21:21, outside 98 | C 192.168.1.0 255.255.255.0 is directly connected, outside 99 | C 192.168.2.0 255.255.255.0 is directly connected, inside 100 | ciscoasa(config)# 101 | ciscoasa(config)# 102 | ciscoasa(config)# show i ospf nei 103 | 104 | 105 | Neighbor ID Pri State Dead Time Address Interface 106 | 192.168.1.2 1 FULL/DR 0:00:38 192.168.1.2 outside 107 | 192.168.2.2 1 FULL/DR 0:00:32 192.168.2.2 inside 108 | ciscoasa(config)# 109 | -------------------------------------------------------------------------------- /lib/common/vulnerability.rb: -------------------------------------------------------------------------------- 1 | module Analysis 2 | 3 | ## 4 | # Class to hold a summary of the vulnerabilities. 5 | # 6 | # @highs - list of high-severity vulnerabilities 7 | # @mediums - list of medium-severity vulnerabilities 8 | # @lows - list of low-severity vulnerabilities 9 | # high_count - Number of high-severity vulnerabilities 10 | # medium_count - Number of medium-severity vulnerabilities 11 | # low_count - Number of low-severity vulnerabilities 12 | # high_rule_count - Number of high-severity, overly permissive rules 13 | # medium_rule_count - Number of medium-severity, overly permissive rules 14 | # low_rule_count - Number of low-severity, overly permissive rules 15 | class Summary 16 | attr_accessor :highs, :mediums, :lows 17 | 18 | def initialize(highs, mediums, lows) 19 | @highs = highs 20 | @mediums = mediums 21 | @lows = lows 22 | end 23 | 24 | ## 25 | # Count the number of high vulnerbilities and return the count 26 | def high_count 27 | return count_vulns(@highs) 28 | end 29 | 30 | ## 31 | # Count the number of medium vulnerbilities and return the count 32 | def medium_count 33 | return count_vulns(@mediums) 34 | end 35 | 36 | ## 37 | # Count the number of low vulnerbilities and return the count 38 | def low_count 39 | return count_vulns(@lows) 40 | end 41 | 42 | ## 43 | # Count the number of high-severity, overly permissive rules and 44 | # return the count. 45 | def high_rule_count 46 | return count_permissive_rules(@highs) 47 | end 48 | 49 | # Count the number of high-severity, overly permissive rules and 50 | # return the count. 51 | def medium_rule_count 52 | return count_permissive_rules(@mediums) 53 | end 54 | 55 | # Count the number of low-severity, overly permissive rules and 56 | # return the count. 57 | def low_rule_count 58 | return count_permissive_rules(@lows) 59 | end 60 | 61 | ## 62 | # Input: A list of Analyze::Vulnerability objects 63 | # 64 | # Output: An integer representing the number of items affected by the 65 | # vulnerability. 66 | # 67 | # Action: Loop through each vulnerability and add up the length of the 68 | # list of affected items. 69 | def count_vulns(vulns) 70 | 71 | count = 0 72 | 73 | unless vulns.empty? 74 | vulns.each do |vuln| 75 | # List contains a header row so need to subtract 1 76 | count += vuln.affected.length - 1 77 | end 78 | end 79 | 80 | return count 81 | 82 | end 83 | 84 | ## 85 | # Input: A list of Analyze::Vulnerability objects 86 | # 87 | # Output: An integer representing the number of items affected by 88 | # "Overly Permissive Rules". 89 | # 90 | # Action: Loop through each vulnerability and find the rule named 91 | # "Overly Permissive Rules" and return the length of the list of 92 | # affected items. 93 | def count_permissive_rules(vulns) 94 | 95 | count = 0 96 | 97 | unless vulns.empty? 98 | vulns.each do |vuln| 99 | if vuln.name == "Overly Permissive Rules" 100 | # List contains a header row so need to subtract 1 101 | count += vuln.affected.length - 1 102 | end 103 | end 104 | end 105 | 106 | return count 107 | 108 | end 109 | 110 | end 111 | 112 | 113 | ## 114 | # Class to hold a Vulnerabilities. 115 | # 116 | # @name - name of the vulnerability 117 | # @severity - severity level: high, medium, low 118 | # @desc - description of the vulnerability 119 | # @solution - recommended solution for the vulnerability 120 | # @affected - list of items affected by the vulnerability. The first item 121 | # in the list is the column names used when writing the list 122 | # in the report 123 | class Vulnerability 124 | attr_accessor :name, :severity, :desc, :solution, :affected 125 | 126 | def initialize(name) 127 | @name = name 128 | @severity = nil 129 | @desc = nil 130 | @solution = nil 131 | @affected = [] 132 | end 133 | 134 | ## 135 | # The vulnerability check is expected to set @severity to 'high', 136 | # 'medium', or 'low'. Anything else raises an error. 137 | def severity=(input) 138 | if ((input == 'high') || (input == 'medium') || (input == 'low')) 139 | @severity = input 140 | else 141 | raise AnalyzeError.new("Invalid input for Analyze::Vulnerabilty.severity: #{input}") 142 | end 143 | end 144 | 145 | end 146 | 147 | end 148 | -------------------------------------------------------------------------------- /lib/analyze/remote_admin.rb: -------------------------------------------------------------------------------- 1 | ## 2 | # Wrapper function to call each of the remote administration checks. Keeps the 3 | # analyze.rb code cleaner to do multiple calls in a wrapper function. 4 | def analyze_remote_administration(interfaces) 5 | vulns = [] 6 | 7 | vulns.concat(check_cleartext_administration(interfaces)) 8 | vulns.concat(check_external_administration(interfaces)) 9 | 10 | return vulns 11 | end 12 | 13 | ## 14 | # Input: A list of FWConfig::Interface objects 15 | # 16 | # Output: A list of Analyze::Vulnerability objects 17 | # 18 | # Action: Loop through each interface and see if either HTTP or Telnet is used 19 | # for remote administration. If either is in use then create a vulnerability. 20 | def check_cleartext_administration(ints) 21 | 22 | vprint_status("Checking for cleartext administration.") 23 | 24 | vulns = [] 25 | http = [] 26 | telnet = [] 27 | 28 | ints.each do |int| 29 | if int.http? then http << [int.name] end 30 | if int.telnet? then telnet << [int.name] end 31 | end 32 | 33 | vuln = rm_cleartext_vulnerability('HTTP', http) 34 | if vuln then vulns << vuln end 35 | 36 | vuln = rm_cleartext_vulnerability('Telnet', telnet) 37 | if vuln then vulns << vuln end 38 | 39 | return vulns 40 | 41 | end 42 | 43 | ## 44 | # Input: A list of FWConfig::Interface objects 45 | # 46 | # Output: A list of Analyze::Vulnerability objects 47 | # 48 | # Action: Loop through each interface. If the interface is labled as an 49 | # external interface and either of the remote administration protocols are in 50 | # use on the interface then create a vulnerability. 51 | def check_external_administration(ints) 52 | vprint_status("Checking for external administration.") 53 | 54 | vulns = [] 55 | external = [] 56 | 57 | unless ints == nil 58 | ints.each do |int| 59 | eadmin = false 60 | if int.external? 61 | vprint_status("External Check: #{int.name}") 62 | if int.http? then eadmin = true end 63 | if int.https? then eadmin = true end 64 | if int.ssh? then eadmin = true end 65 | if int.telnet? then eadmin = true end 66 | end 67 | if eadmin then external << [int.name] end 68 | end 69 | end 70 | 71 | vuln = rm_external_vulnerability(external) 72 | if vuln then vulns << vuln end 73 | 74 | return vulns 75 | 76 | end 77 | 78 | ## 79 | # Input: A protocol name and a list of affected interface names. 80 | # 81 | # Output: An Analyze::Vulnerability object. 82 | # 83 | # Action: Create an Analyze::Vulnerability object and vary the description and 84 | # solution based on the protocol 85 | def rm_cleartext_vulnerability(proto, affected) 86 | 87 | vuln = nil 88 | 89 | if not affected.empty? 90 | vuln = Analysis::Vulnerability.new("Remote Management with #{proto}") 91 | vuln.severity = 'high' 92 | 93 | vuln.desc = "The following interfaces are using #{proto} for remote " 94 | vuln.desc << "administration. #{proto} is considered insecure because all " 95 | vuln.desc << "information is transmitted in clear text, which could " 96 | vuln.desc << "allow an attacker to capture login credentials." 97 | 98 | vuln.solution = "Disable remote management through #{proto}, if possible. " 99 | vuln.solution << "If it is not possible, limit access to the management " 100 | vuln.solution << "interface to only those IP addresses necessary." 101 | 102 | # Add column names to the list of affected interfaces. 103 | vuln.affected = [['Interface']].concat(affected) 104 | end 105 | 106 | return vuln 107 | end 108 | 109 | ## 110 | # Input: A list of affected interface names. 111 | # 112 | # Output: An Analyze::Vulnerability object. 113 | # 114 | # Action: Create an Analyze::Vulnerabilty object for remote management on 115 | # external interfaces. 116 | def rm_external_vulnerability(affected) 117 | 118 | vuln = nil 119 | 120 | if not affected.empty? 121 | vuln = Analysis::Vulnerability.new("Remote Management on External Interface") 122 | vuln.severity = 'high' 123 | 124 | vuln.desc = "The firewall can be remotely managed on the following " 125 | vuln.desc << "external interfaces. This gives an external attacker " 126 | vuln.desc << "the opportunity to exploit any known vulnerabilities in " 127 | vuln.desc << "the management interface. In addition, an attacker may " 128 | vuln.desc << "be able to conduct a dictionary password attack on the " 129 | vuln.desc << "management interface login. A successful attack could " 130 | vuln.desc << "give the attacker complete control of the firewall." 131 | 132 | vuln.solution = "Disable external remote management, if possible. If " 133 | vuln.solution << "it is not possible, then limit access to the " 134 | vuln.solution << "management interface to only those IP addresses " 135 | vuln.solution << "necessary." 136 | 137 | # Add header to list of affected interfaces 138 | vuln.affected = [['Interface']].concat(affected) 139 | end 140 | 141 | return vuln 142 | end 143 | 144 | -------------------------------------------------------------------------------- /sample_configs/asa2.txt: -------------------------------------------------------------------------------- 1 | WRH-ASA# show run 2 | : Saved 3 | : 4 | ASA Version 7.0(6) 5 | ! 6 | hostname WRH-ASA 7 | domain-name myworkdomainhere.org 8 | names 9 | name 192.0.0.25 MAIL-PRIV 10 | name xxx.xxx.45.196 MAIL-PUB 11 | name 192.0.0.11 TEST-PRIV 12 | name 192.0.0.207 WEB-PRIV 13 | name xxx.xxx.45.198 WEB-PUB 14 | name 192.0.0.72 CITRIX-02 15 | name xxx.xxx.45.195 CITRIX02-PUB 16 | name 192.0.0.26 Spamstop 17 | name 192.0.0.235 CHARTLINK 18 | name xxx.xxx.45.197 CHARTLINK-PUB 19 | name 192.0.0.99 WEBBETA-PRIV 20 | name xxx.xx.168.156 WEBBETA-PUB 21 | name xxx.xx.168.157 GWMOBILE-PUB 22 | name 192.0.0.74 GWMOBILE-PRI 23 | name xxx.xx.168.154 CITRIX01-PUB 24 | name 192.0.3.253 CITRIX01-PRI 25 | dns-guard 26 | ! 27 | interface Ethernet0/0 28 | nameif outside 29 | security-level 0 30 | ip address xxx.xxx.45.194 255.255.255.248 31 | ! 32 | interface Ethernet0/1 33 | nameif inside 34 | security-level 100 35 | ip address 10.10.0.2 255.255.255.0 36 | ! 37 | interface Ethernet0/2 38 | nameif dmz 39 | security-level 40 40 | ip address 10.34.17.2 255.255.255.0 41 | ! 42 | interface Ethernet0/3 43 | shutdown 44 | no nameif 45 | no security-level 46 | no ip address 47 | ! 48 | interface Management0/0 49 | shutdown 50 | nameif management 51 | security-level 100 52 | no ip address 53 | management-only 54 | ! 55 | ftp mode passive 56 | clock timezone EST -5 57 | clock summer-time EDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00 58 | access-list INBOUND extended permit icmp any any 59 | access-list INBOUND extended permit tcp any host MAIL-PUB eq smtp 60 | access-list INBOUND extended permit tcp any host MAIL-PUB eq https 61 | access-list INBOUND extended permit tcp any host MAIL-PUB eq www 62 | access-list INBOUND extended permit tcp any host WEB-PUB eq www 63 | access-list INBOUND extended permit tcp any host WEB-PUB eq citrix-ica 64 | access-list INBOUND extended permit tcp any host CITRIX02-PUB eq citrix-ica 65 | access-list INBOUND extended permit tcp any host CHARTLINK-PUB eq www 66 | access-list INBOUND extended permit tcp any host CHARTLINK-PUB eq https 67 | access-list INBOUND extended permit tcp any host CHARTLINK-PUB eq ssh 68 | access-list INBOUND extended permit tcp any host xxx.xx.168.155 eq smtp 69 | access-list INBOUND extended permit tcp any host xxx.xx.168.155 eq www 70 | access-list INBOUND extended permit tcp any host xxx.xx.168.155 eq https 71 | access-list INBOUND extended permit tcp any host WEBBETA-PUB eq www 72 | access-list INBOUND extended permit tcp any host WEBBETA-PUB eq citrix-ica 73 | access-list INBOUND extended permit tcp any host GWMOBILE-PUB eq www 74 | access-list INBOUND extended permit tcp any host CITRIX01-PUB eq citrix-ica 75 | access-list DMZ-INBOUND extended permit ip any any 76 | access-list NONAT extended permit ip 192.0.0.0 255.255.252.0 10.34.17.0 255.255.255.0 77 | access-list NONAT extended permit ip 172.16.4.0 255.255.255.0 10.34.17.0 255.255.255.0 78 | access-list NONAT extended permit icmp 172.16.4.0 255.255.255.0 10.34.17.0 255.255.255.0 79 | access-list NONAT extended permit ip host 192.0.0.236 host 10.0.0.2 80 | access-list NONAT extended permit ip host 192.0.0.200 host 10.0.0.2 81 | access-list inside_nat0_outbound extended permit ip 192.0.0.0 255.255.252.0 10.34.17.0 255.255.255.0 82 | access-list inside_nat0_outbound extended permit ip 172.16.4.0 255.255.255.0 10.34.17.0 255.255.255.0 83 | access-list inside_nat0_outbound extended permit ip host 192.0.0.236 host 10.0.0.2 84 | access-list inside_nat0_outbound extended permit ip host 192.0.0.200 host 10.0.0.2 85 | pager lines 24 86 | logging enable 87 | logging buffered critical 88 | logging trap critical 89 | logging asdm informational 90 | logging host inside 192.0.1.44 91 | mtu outside 1500 92 | mtu inside 1500 93 | mtu dmz 1500 94 | mtu management 1500 95 | ip verify reverse-path interface outside 96 | ip audit attack action alarm drop reset 97 | no failover 98 | asdm image disk0:/asdm506.bin 99 | no asdm history enable 100 | arp timeout 14400 101 | global (outside) 10 MAIL-PUB 102 | global (outside) 1 interface 103 | nat (inside) 0 access-list inside_nat0_outbound 104 | nat (inside) 10 MAIL-PRIV 255.255.255.255 105 | nat (inside) 10 Spamstop 255.255.255.255 106 | nat (inside) 1 0.0.0.0 0.0.0.0 107 | nat (dmz) 0 10.34.17.0 255.255.255.0 108 | static (inside,outside) tcp MAIL-PUB smtp Spamstop smtp netmask 255.255.255.255 109 | static (inside,outside) tcp MAIL-PUB https MAIL-PRIV https netmask 255.255.255.255 110 | static (inside,outside) tcp MAIL-PUB www MAIL-PRIV www netmask 255.255.255.255 111 | static (inside,outside) WEB-PUB WEB-PRIV netmask 255.255.255.255 112 | static (inside,outside) CITRIX02-PUB CITRIX-02 netmask 255.255.255.255 113 | static (inside,outside) CHARTLINK-PUB CHARTLINK netmask 255.255.255.255 114 | static (inside,outside) xxx.xx.168.155 192.0.0.58 netmask 255.255.255.255 115 | static (inside,outside) WEBBETA-PUB WEBBETA-PRIV netmask 255.255.255.255 116 | static (inside,outside) GWMOBILE-PUB GWMOBILE-PRI netmask 255.255.255.255 117 | static (inside,outside) CITRIX01-PUB CITRIX01-PRI netmask 255.255.255.255 118 | static (inside,outside) xx.xxx.214.11 10.1.0.172 netmask 255.255.255.255 119 | static (inside,outside) xx.xxx.214.12 10.1.0.173 netmask 255.255.255.255 120 | static (inside,outside) xx.xxx.214.10 192.0.1.248 netmask 255.255.255.255 121 | access-group INBOUND in interface outside 122 | access-group DMZ-INBOUND in interface dmz 123 | route outside 0.0.0.0 0.0.0.0 xxx.xxx.45.193 1 124 | route inside 10.1.0.0 255.255.255.0 10.10.0.1 1 125 | route inside 172.16.4.0 255.255.255.0 10.10.0.1 1 126 | route inside 192.0.0.0 255.255.252.0 10.10.0.1 1 127 | route dmz 10.0.0.2 255.255.255.255 10.34.17.1 1 128 | timeout xlate 3:00:00 129 | timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 130 | timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 131 | timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00 132 | timeout uauth 0:05:00 absolute 133 | http server enable 134 | http 192.0.0.0 255.255.252.0 inside 135 | no snmp-server location 136 | no snmp-server contact 137 | snmp-server enable traps snmp authentication linkup linkdown coldstart 138 | telnet 192.0.0.0 255.255.252.0 inside 139 | telnet timeout 5 140 | ssh 192.0.0.0 255.255.252.0 inside 141 | ssh timeout 10 142 | console timeout 15 143 | management-access inside 144 | ! 145 | class-map inspection_default 146 | match default-inspection-traffic 147 | ! 148 | ! 149 | policy-map global_policy 150 | class inspection_default 151 | inspect dns maximum-length 512 152 | inspect ftp 153 | inspect h323 h225 154 | inspect h323 ras 155 | inspect http 156 | inspect pptp 157 | inspect rsh 158 | inspect rtsp 159 | inspect sip 160 | inspect skinny 161 | inspect esmtp 162 | inspect sqlnet 163 | inspect tftp 164 | ! 165 | service-policy global_policy global 166 | ntp server 192.0.0.14 source inside 167 | Cryptochecksum:d864f1e42a2a7956593e7bda657fc327 168 | : end 169 | WRH-ASA# -------------------------------------------------------------------------------- /lib/parse/sonic.rb: -------------------------------------------------------------------------------- 1 | ## 2 | # Input: A plain-text SonicWALL Technical Support Report (.wri) file 3 | # 4 | # Output: A FWConfig::Firewall object 5 | # 6 | # Action: Parse the config line by line and update the appropriate parts of 7 | # the FWConfig::Firewall object 8 | def parse_sonic_config(config) 9 | 10 | fw = FWConfig::FirewallConfig.new 11 | fw.type = "SonicOS" 12 | 13 | ## 14 | # Both Service Objects and Address Objects have "members" and the regex 15 | # used to identify the members is the same. This is confusing when parsing 16 | # line by line because address_object members may get added to 17 | # service_objects and vice versa. These flags are used to determine if we 18 | # are processing a service_object or an address_object 19 | service_object = false 20 | address_object = false 21 | 22 | # Service Objects are made up of other Service Objects and ports. In the 23 | # config, ports are not defined before the Service Objects that use them 24 | # so we need to preproces the file to get the port names. The same is true 25 | # for Address Objects, we need to preprocess the file to get host names. 26 | port_names, host_names = preprocess_names(config) 27 | 28 | ## 29 | # Read through each line of the configuration file, use regex to identify 30 | # the relevant parts of the config file, and update the FWConfig::Firewall 31 | # object as necessary. 32 | config.each_line do |line| 33 | 34 | line.chomp! 35 | 36 | # Get the firewall name and firmware version 37 | if line =~ /^Serial number (.*)/ then fw.name = $1 end 38 | if line =~ /^Firmware version: (.*)/ then fw.firmware = $1 end 39 | 40 | # Build a list of access control lists. 41 | if line =~ /^From ([A-Z]+ To [A-Z]+)/ then 42 | vprint_status("Processing access control list #{$1}.") 43 | fw.access_lists << FWConfig::AccessList.new($1) 44 | end 45 | 46 | # Identify a rule and create a new FWConfig::Rule object to store it. 47 | if line =~ /^Rule ([0-9]+) \(([a-zA-z]+)\)/ 48 | vprint_status("Processing rule #{$1}.") 49 | rule = FWConfig::Rule.new($1) 50 | if $2 == "Enabled" then rule.enabled = true end 51 | fw.access_lists.last.ruleset << rule 52 | end 53 | 54 | # Add the rule source 55 | if line =~ /^source:\s+(.*)$/ 56 | fw.access_lists.last.ruleset.last.source = $1 57 | end 58 | 59 | # Add the rule destination 60 | if line =~ /^destination:\s(.*)$/ 61 | fw.access_lists.last.ruleset.last.dest = $1 62 | end 63 | 64 | # Add the rule action and service 65 | if line =~ /^action:\s+(.*), service:\s+(.*)/ then 66 | fw.access_lists.last.ruleset.last.action = $1 67 | fw.access_lists.last.ruleset.last.service = $2 68 | end 69 | 70 | # Identify the interfaces in use and store them in a FWConfig::Interface 71 | # object. 72 | if line =~ /^Interface Name:\s+([A-Z0-9]+)/ then 73 | vprint_status("Processing interface #{$1}.") 74 | fw.interfaces << FWConfig::Interface.new($1) 75 | end 76 | 77 | # Add the IP address to the last interface we found. 78 | if line =~ /^IP Address:\s+(.*)/ 79 | fw.interfaces.last.ip = $1 80 | end 81 | 82 | # Add the network mask to the last interface we found. 83 | if line =~ /^Network Mask:\s+(.*)/ 84 | fw.interfaces.last.mask = $1 85 | end 86 | 87 | # Add the status to the last interface we found. 88 | if line =~ /^Port Status:\s+(.*)/ 89 | if $1 == "UP" 90 | fw.interfaces.last.status = 'Up' 91 | else 92 | fw.interfaces.last.status = 'Down' 93 | end 94 | end 95 | 96 | # Check to see if the interface is in the WAN zone. If so, it is an 97 | # external interface, otherwise it is not. 98 | if line =~ /^Zone:\s+WAN\s+Handle:.*$/ 99 | fw.interfaces.last.external = true 100 | end 101 | 102 | # Determine which interfaces are running management protocols such as 103 | # http, and ssh. SonicWALL does not appear to support telnet. 104 | if line =~ /^Interface http Management:\s+(.*)/ 105 | if $1 == 'Yes' 106 | fw.interfaces.last.http = true 107 | end 108 | end 109 | 110 | if line =~ /^Interface https Management:\s+(.*)/ 111 | if $1 == 'Yes' 112 | fw.interfaces.last.https = true 113 | end 114 | end 115 | 116 | if line =~ /^Interface ssh Management:\s+(.*)/ 117 | if $1 == 'Yes' 118 | fw.interfaces.last.ssh = true 119 | end 120 | end 121 | 122 | #------------------------------------------------------------------------- 123 | # Professional Only Functionality 124 | #------------------------------------------------------------------------- 125 | 126 | # Parse Address Object Table 127 | if line =~ /^(.*): Handle:\d+ ZoneHandle:/ 128 | name = $1.gsub(/\(.*\)/, '') 129 | vprint_status("Processing network name #{name}.") 130 | address_object = true 131 | service_object = false 132 | fw.network_names << FWConfig::NetworkName.new(name) 133 | end 134 | 135 | # Parse Service Object Table 136 | if line =~ /^(.*): Handle:\d+ Size:.* GROUP:/ 137 | vprint_status("Processing service name #{$1}.") 138 | address_object = false 139 | service_object = true 140 | fw.service_names << FWConfig::ServiceName.new($1) 141 | end 142 | 143 | # Parse service object members 144 | if ((line =~ /^ member: Name:(.*) Handle:\d+/) && (service_object)) 145 | print_debug("Processing service object #{$1}") 146 | if port_names[$1] 147 | fw.service_names.last.ports << port_names[$1] 148 | else 149 | fw.service_names.last.ports << 'service ' + $1 150 | end 151 | end 152 | 153 | # Parse address object members 154 | if ((line =~ /^ member: Name:(.*) Handle:\d+/) && (address_object)) 155 | name = $1 156 | print_debug("Processing address object #{name}") 157 | if host_names[name] 158 | fw.network_names.last.hosts << host_names[name].gsub(/\(.*\)/, '') 159 | else 160 | fw.network_names.last.hosts << 'network ' + name 161 | end 162 | end 163 | end 164 | 165 | # Put the preprocessed host_names into the FWConfig::Firewall object. 166 | host_names.each do |name, ip| 167 | fw.host_names[name] = ip 168 | end 169 | 170 | return fw 171 | end 172 | 173 | 174 | ## 175 | # Input: A plain-text SonicWALL Technical Support Report (.wri) file. 176 | # 177 | # Output: Two hashes, one containing a list of port_names and another 178 | # containing a list of host_names. 179 | # 180 | # Action: Parse the config looking for port names and host names, including 181 | # network names. 182 | def preprocess_names(config) 183 | 184 | port_names = {} 185 | host_names = {} 186 | 187 | config.each_line do |line| 188 | line.chomp! 189 | 190 | # Parse Ports from the Service Object Table. Load them into port_names 191 | # for later processing. 192 | if line =~ /^(.*): Handle:\d+ .* IpType:.*/ 193 | name = $1 194 | puts line 195 | protocol, port_begin, port_end = parse_port_object(line) 196 | if port_begin == port_end 197 | port_names[name] = "#{protocol} #{port_begin}" 198 | else 199 | port_names[name] = "#{protocol} range #{port_begin} #{port_end}" 200 | end 201 | end 202 | 203 | # Parse IP addresses from Address Object Table. Load them into 204 | # host_names for later processing. 205 | if line =~ /(.*): Handle:\d+ .* HOST: (.*)/ 206 | name = $1 207 | ip = $2 208 | name.gsub!(/\(.*\)/, '') 209 | print_debug("Host Name: #{name}") 210 | host_names[name] = ip + '/32' 211 | end 212 | 213 | # Parse Networks from Address Object Table. Load them into host_names 214 | # for later processing. 215 | if line =~ /(.*): Handle:\d+ .* NETWORK: (.*) - (.*)/ 216 | name = $1 217 | ip = $2 218 | mask = $3 219 | name.gsub!(/\(.*\)/, '') 220 | print_debug("Network Name: #{name}") 221 | host_names[name] = ip + '/' + mask 222 | end 223 | 224 | end 225 | 226 | return port_names, host_names 227 | end 228 | 229 | ## 230 | # Input: A string 231 | # 232 | # Output: Three strings representing the protocol, begging port, and ending 233 | # port 234 | # 235 | # Action: Parse the given line to identify the protocol (IpType), the beginning 236 | # port, and the ending port. 237 | def parse_port_object(line) 238 | vprint_status("Processing port object.") 239 | 240 | protocol = '' 241 | if line =~ /Port Begin: (\d+)/ 242 | port_begin = $1 243 | end 244 | 245 | if line =~ /Port End: (\d+)/ 246 | port_end = $1 247 | end 248 | 249 | if line =~ /IpType: (\d+)/ 250 | case $1 251 | when '1' 252 | protocol = 'icmp' 253 | when '2' 254 | protocol = 'igmp' 255 | when '6' 256 | protocol = 'tcp' 257 | when '17' 258 | protocol = 'udp' 259 | else 260 | protocol = 'ip_type ' + $1 261 | end 262 | end 263 | 264 | print_debug("Protocol: " + protocol) 265 | print_debug("port_begin: " + port_begin) 266 | print_debug("port_end: " + port_end) 267 | 268 | return protocol, port_begin, port_end 269 | end 270 | 271 | -------------------------------------------------------------------------------- /lib/report/xml.rb: -------------------------------------------------------------------------------- 1 | #------------------------------------------------------------------------- 2 | # Professional Functionality 3 | #------------------------------------------------------------------------- 4 | 5 | module Report 6 | module XMLReport 7 | require 'date' 8 | 9 | ## 10 | # Input: FWConfig::Firewall object and an Analysis::Summary object. 11 | # 12 | # Output: A string containing an XML representation of the report. 13 | # 14 | # Action: Create an XML document using the data in the FWConfig::Firewall 15 | # object and the Analysis::Summary object. 16 | def generate_xml_report(firewall, analysis) 17 | vprint_status("Writing XML report.") 18 | xml = "\n" 19 | 20 | # Add configuration information to XML 21 | xml << "\n" 22 | xml << create_element('name', firewall.name) + "\n" 23 | xml << create_element('type', firewall.type) + "\n" 24 | xml << create_element('firmware', firewall.firmware) + "\n" 25 | 26 | # Add configuration summary information to XML 27 | xml << "" 28 | xml << create_element('rule_count', firewall.rule_count) 29 | xml << create_element('acl_count', firewall.acl_count) 30 | xml << create_element('interface_count', firewall.int_count) 31 | xml << create_element('interface_up_count', firewall.ints_up) 32 | xml << "" 33 | 34 | # Add interfaces to XML 35 | xml << interfaces_to_xml(firewall.interfaces) 36 | 37 | # Add access control lists to XML 38 | xml << access_lists_to_xml(firewall.access_lists, firewall.type) 39 | 40 | # Add host names to xml 41 | xml << host_names_to_xml(firewall.host_names) 42 | 43 | # Add network names to XML 44 | xml << network_names_to_xml(firewall.network_names) 45 | 46 | # Add service names to XML 47 | xml << service_names_to_xml(firewall.service_names) 48 | 49 | xml << "\n" 50 | 51 | # Add Analysis results 52 | xml << "\n" 53 | 54 | # Add analysis summary information to XML 55 | x = "" 56 | x = create_element('high_count', analysis.high_count) 57 | x = create_element('medium_count', analysis.medium_count) 58 | x = create_element('low_count', analysis.low_count) 59 | x = create_element('high_rule_count', analysis.high_rule_count) 60 | x = create_element('medium_rule_count', analysis.medium_rule_count) 61 | x = create_element('low_rule_count', analysis.low_rule_count) 62 | x = "" 63 | 64 | # Add vulnerabilities to XML 65 | xml << vulnerabilities_to_xml(analysis) 66 | 67 | xml << "\n" 68 | xml << "\n" 69 | 70 | return xml 71 | 72 | end 73 | 74 | ## 75 | # Create an XML element with the name and text. 76 | def create_element(name, text) 77 | return "<#{name}>#{text}" 78 | end 79 | 80 | ## 81 | # Convert the interface list to XML 82 | def interfaces_to_xml(interfaces) 83 | vprint_status("Writing interfaces to XML.") 84 | 85 | x = '' 86 | if interfaces 87 | 88 | x << "\n" 89 | 90 | interfaces.each do |i| 91 | x << "" 92 | x << create_element('name', i.name) 93 | x << create_element('ip', i.ip) 94 | x << create_element('mask', i.mask) 95 | x << create_element('status', i.status) 96 | x << create_element('http', i.http) 97 | x << create_element('https', i.https) 98 | x << create_element('ssh', i.ssh) 99 | x << create_element('telnet', i.telnet) 100 | x << "\n" 101 | end 102 | 103 | x << "\n" 104 | 105 | end 106 | 107 | return x 108 | 109 | end 110 | 111 | ## 112 | # Convert the access_lists to XML 113 | def access_lists_to_xml(acls, type) 114 | vprint_status("Writing access control lists to XML.") 115 | x = '' 116 | 117 | if acls 118 | x << "\n" 119 | 120 | acls.each do |a| 121 | x << "" 122 | x << create_element('name', a.name) 123 | x << create_element('interface', a.interface ? a.interface : '') 124 | x << "" 125 | a.ruleset.each do |r| 126 | x << rule_to_xml(r, type) 127 | end 128 | x << "" 129 | x << "\n" 130 | end 131 | 132 | x << "\n" 133 | end 134 | 135 | return x 136 | end 137 | 138 | ## 139 | # Convert a rule to XML 140 | def rule_to_xml(rule, type) 141 | vprint_status("Writing rule to XML") 142 | 143 | x = '' 144 | x << '' 145 | x << create_element('id', rule.num) 146 | x << create_element('enabled', rule.enabled) 147 | x << create_element('protocol', rule.protocol) 148 | x << create_element('source', rule.source) 149 | x << create_element('destination', rule.dest) 150 | x << create_element('action', rule.action) 151 | x << create_element('service', rule.service) 152 | x << create_element('comment', rule.comment) 153 | x << '' 154 | 155 | return x 156 | end 157 | 158 | 159 | ## 160 | # Convert the vulnerabilities to XML. Write out each group of 161 | # vunerabilities separately. 162 | def vulnerabilities_to_xml(analysis) 163 | vprint_status("Writing vulnerabilities to XML.") 164 | x = "\n" 165 | 166 | # Add high severity vulnerabilities 167 | x << "\n" 168 | unless analysis.highs.empty? 169 | x << vuln_list_to_xml(analysis.highs) 170 | else 171 | x << "" 172 | end 173 | x << "\n" 174 | 175 | # Add medium severity vulnerabilities 176 | x << "\n" 177 | unless analysis.mediums.empty? 178 | x << vuln_list_to_xml(analysis.mediums) 179 | else 180 | x << "" 181 | end 182 | x << "\n" 183 | 184 | # Add low severity vulnerabilities 185 | x << "\n" 186 | unless analysis.lows.empty? 187 | x << vuln_list_to_xml(analysis.lows) 188 | else 189 | x << "" 190 | end 191 | x << "\n" 192 | 193 | x << "\n" 194 | return x 195 | end 196 | 197 | ## 198 | # Wrapper method to write a list of vulnerabilities to XML 199 | def vuln_list_to_xml(vulns) 200 | 201 | x = '' 202 | 203 | vulns.each do |v| 204 | x << vulnerability_to_xml(v) 205 | end 206 | 207 | return x 208 | end 209 | 210 | ## 211 | # Convert an individual vulnerability to XML 212 | def vulnerability_to_xml(v) 213 | vprint_status("Writing #{v.name} (#{v.severity.upcase}) to XML.") 214 | x = '' 215 | 216 | x << "" 217 | x << create_element('name', v.name) 218 | x << create_element('severity', v.severity) 219 | x << create_element('description', v.desc) 220 | x << create_element('solution', v.solution) 221 | x << "" 222 | 223 | x << create_element('affected_item_header', v.affected[0].join(",")) 224 | 225 | v.affected[1, v.affected.length].each do |a| 226 | x << create_element('affected_item_row', a.join(",")) 227 | end 228 | 229 | x << "" 230 | x << "\n" 231 | 232 | return x 233 | end 234 | 235 | ## 236 | # Convert host_names to XML 237 | def host_names_to_xml(host_names) 238 | vprint_status("Writing host names to XML.") 239 | x = '' 240 | 241 | unless host_names.empty? 242 | x << "\n" 243 | 244 | host_names.each do |name, ip| 245 | x << '' 246 | x << create_element('name', name) 247 | x << create_element('ip', ip) 248 | x << "\n" 249 | end 250 | 251 | x << "\n" 252 | end 253 | 254 | return x 255 | end 256 | 257 | ## 258 | # Convert network_names to XML 259 | def network_names_to_xml(network_names) 260 | vprint_status("Writing network names to XML.") 261 | x = '' 262 | 263 | unless network_names.empty? 264 | x << "\n" 265 | 266 | network_names.each do |n| 267 | x << "" 268 | x << create_element('name', n.name) 269 | x << "" 270 | 271 | n.hosts.each do |host| 272 | x << create_element('host', host) 273 | end 274 | 275 | x << "" 276 | x << "\n" 277 | end 278 | 279 | x << "\n" 280 | 281 | end 282 | 283 | return x 284 | end 285 | 286 | 287 | ## 288 | # Convert Service Names to XML 289 | def service_names_to_xml(service_names) 290 | vprint_status("Writing service names to XML.") 291 | x = '' 292 | 293 | unless service_names.empty? 294 | x << "\n" 295 | 296 | service_names.each do |s| 297 | x << "" 298 | x << create_element('name', s.name) 299 | x << create_element('protocol', s.protocol) 300 | x << "" 301 | 302 | s.ports.each do |p| 303 | x << create_element('port', p) 304 | end 305 | 306 | x << "" 307 | x << "\n" 308 | end 309 | 310 | x << "\n" 311 | end 312 | 313 | return x 314 | end 315 | 316 | 317 | end 318 | 319 | end 320 | -------------------------------------------------------------------------------- /lib/report/html.rb: -------------------------------------------------------------------------------- 1 | module Report 2 | module HTMLReport 3 | require 'date' 4 | 5 | ## 6 | # Input: FWConfig::Firewall object, Analysis::Summary object, and a file name 7 | # containing a template for the HTML report. 8 | # 9 | # Output: A string containing an HTML file with the report. 10 | # 11 | # Action: Make sure the template file exists, is a file and is not empty. 12 | # Open the file and insert the appropriate parts of the report. A custom 13 | # template file can be specified using the -t command line option. 14 | def generate_html_report(firewall, analysis, template) 15 | 16 | # Does the tempate file exist? 17 | unless File.exists?(template) 18 | raise ReportError, "File #{template} does not exist." 19 | end 20 | 21 | # Is the file a file and not a directory? 22 | unless File.file?(template) 23 | raise ReportError, "#{template} is not a file." 24 | end 25 | 26 | # Is the file empty? 27 | if File.zero?(template) 28 | raise ReportError, "The file #{template} is empty." 29 | end 30 | 31 | # Open the template file 32 | html = File.open(template) {|f| f.read} 33 | 34 | # Replace id, firmware, and type 35 | html.gsub!(/--name--/, firewall.name) 36 | html.gsub!(/--type--/, firewall.type) 37 | html.gsub!(/--firmware--/, firewall.firmware ? firewall.firmware : "None") 38 | 39 | # Insert Summary Statement 40 | html.gsub!(/--summary_statement--/, summary_to_html(firewall, analysis)) 41 | 42 | # Insert Interfaces 43 | html.gsub!(/--interfaces--/, interfaces_to_html(firewall.interfaces)) 44 | 45 | # Insert Remote Management 46 | html.gsub!(/--management--/, management_to_html(firewall.interfaces)) 47 | 48 | # Insert Access Control Lists 49 | html.gsub!(/--access_lists--/, access_lists_to_html(firewall.access_lists, firewall.type)) 50 | 51 | # Insert Analysis Results 52 | html.gsub!(/--analysis--/, vulnerabilities_to_html(analysis)) 53 | 54 | # Insert Host Names 55 | html.gsub!(/--host_names--/, host_names_to_html(firewall.host_names)) 56 | 57 | # Insert Network Names 58 | html.gsub!(/--network_names--/, network_names_to_html(firewall.network_names)) 59 | 60 | # Insert Service Names 61 | html.gsub!(/--service_names--/, service_names_to_html(firewall.service_names)) 62 | 63 | return html 64 | 65 | end 66 | 67 | ## 68 | # Input: A FWConfig::Firewall object and an Analysis::Summary object 69 | # 70 | # Output: A string containing a summary of the configuration and analysis. 71 | def summary_to_html(fw, an) 72 | 73 | s = "
\n" 74 | s << "

The #{fw.type} firewall with hostname #{fw.name} " 75 | s << "and running firmware version #{fw.firmware} was " 76 | s << "analyzed with Prometheus Firewall Analyzer (Prometheus) on " 77 | s << "#{Date.today.to_s}. Prometheus identified (#{an.high_count}) " 78 | s << "high-severity, (#{an.medium_count}) medium-severity, and " 79 | s << "(#{an.low_count}) low-severity vulnerabilities.

" 80 | s << "Prometheus processed #{fw.acl_count} access control lists " 81 | s << "with a total of #{fw.rule_count} rules. Of the #{fw.rule_count} " 82 | s << "rules identified, #{an.high_rule_count} had high-severity " 83 | s << "vulnerabilities, #{an.medium_rule_count} had medium-severity " 84 | s << "vulnerabilities, and #{an.low_rule_count} had low_severity " 85 | s << "vulnerabilities.

" 86 | s << "

Prometheus identified #{fw.int_count} interfaces on the " 87 | s << "firewall, #{fw.ints_up} of which were active.

" 88 | s << "
\n" 89 | 90 | return s 91 | end 92 | 93 | ## 94 | # Input: A list of FWConfig::Interface objects 95 | # 96 | # Output: A string containig the list of FWConfig::Interface objects as HTML. 97 | # Only includes the name, ip address, subnet mask and status. 98 | def interfaces_to_html(interfaces) 99 | vprint_status("Writing interfaces to HTML.") 100 | 101 | h = '' 102 | unless interfaces.empty? 103 | 104 | h << "
\n" 105 | h << "

Interfaces

\n" 106 | 107 | t = HTMLTable::Table.new( 108 | 'Columns' => ['Name', 'IP Address', 'Subnet Mask', 'Status'] 109 | ) 110 | 111 | interfaces.each do |i| 112 | t.rows << [i.name, i.ip, i.mask, i.status] 113 | end 114 | 115 | h << t.to_html 116 | h << "
\n" 117 | end 118 | 119 | return h 120 | 121 | end 122 | 123 | ## 124 | # Input: A list of FWConfig::Interface objects. 125 | # 126 | # Output: A string containg an HTML table of management protocols in use 127 | # on each interface. 128 | def management_to_html(interfaces) 129 | vprint_status("Writing remote management to HTML.") 130 | h = '' 131 | 132 | unless interfaces.empty? 133 | 134 | h << "
\n" 135 | h << "

Remote Management

\n" 136 | 137 | t = HTMLTable::Table.new( 138 | 'Columns' => ['Interface', 'HTTP', 'HTTPS', 'SSH', 'Telnet'] 139 | ) 140 | 141 | interfaces.each do |i| 142 | t.rows << [i.name, i.http, i.https, i.ssh, i.telnet] 143 | end 144 | 145 | h << t.to_html 146 | h << "
\n" 147 | end 148 | 149 | return h 150 | end 151 | 152 | ## 153 | # Input: An Analysis::Summary object. 154 | # 155 | # Output: A string containing an HTML representation of the vulnerabilities. 156 | # Vulnerabilities are listed in order of severity. 157 | def vulnerabilities_to_html(analysis) 158 | vprint_status("Writing vulnerabilities to HTML.") 159 | h = "
\n" 160 | 161 | unless analysis.highs.empty? 162 | h << vuln_list_to_html(analysis.highs) 163 | else 164 | h << "

High-severity Vulnerabilities

\n" 165 | h << "

No high-severity vulnerabilities to report.

\n" 166 | end 167 | 168 | unless analysis.mediums.empty? 169 | h << vuln_list_to_html(analysis.mediums) 170 | else 171 | h << "

Medium-severity Vulnerabilities

\n" 172 | h << "

No medium-severity vulnerabilities to report.

\n" 173 | end 174 | 175 | unless analysis.lows.empty? 176 | h << vuln_list_to_html(analysis.lows) 177 | else 178 | h << "

Low-severity Vulnerabilities

\n" 179 | h << "

No low-severity vulnerabilities to report.

\n" 180 | end 181 | 182 | h << "
\n" 183 | return h 184 | end 185 | 186 | ## 187 | # Input: A list of Analysis::Vulnerability objects 188 | # 189 | # Output: A string containg an HTML representation of the list of 190 | # vulnerabilities. 191 | def vuln_list_to_html(vulns) 192 | 193 | h = '' 194 | 195 | vulns.each do |v| 196 | h << vulnerability_to_html(v) 197 | end 198 | 199 | return h 200 | end 201 | 202 | ## 203 | # Input: An Analysis::Vulnerability object 204 | # 205 | # Output: A string containing an HTML representation of a vulnerability. 206 | def vulnerability_to_html(v) 207 | vprint_status("Writing #{v.name} (#{v.severity.upcase}) to HTML.") 208 | h = '' 209 | 210 | t = HTMLTable::Table.new( 'Columns' => v.affected[0]) 211 | 212 | v.affected[1, v.affected.length].each do |a| 213 | t.rows << a 214 | end 215 | 216 | h << "
\n" 217 | h << "

#{v.name} (#{v.severity.upcase})

\n" 218 | h << "

Description: #{v.desc}

\n" 219 | h << "

Solution: #{v.solution}

\n" 220 | h << t.to_html 221 | h << "
\n" 222 | 223 | return h 224 | end 225 | 226 | ## 227 | # Input: A list of Config:AccessList objects and a firewall type 228 | # 229 | # Output: A string containing an HTML representation of an acl 230 | # 231 | # Action: SonicWALL firewalls do not store a protocol with the rule so do 232 | # not display the protocol column in the HTML table. Use the type variable 233 | # to determine if this is a SonicWALL. 234 | def access_lists_to_html(acls, type) 235 | vprint_status("Writing access control lists to HTML.") 236 | h = '' 237 | 238 | unless acls.empty? 239 | h << "
\n" 240 | h << "

Access Control Lists

\n" 241 | 242 | # Do not display the protocol column for SonicWALLs 243 | if type == 'SonicOS' 244 | columns = ['ID', 'Enabled', 'Source', 'Destination', 'Action', 'Service'] 245 | else 246 | columns = ['ID', 'Enabled', 'Protocol', 'Source', 'Destination', 'Action', 'Service'] 247 | end 248 | 249 | acls.each do |a| 250 | interface = a.interface ? " (#{a.interface})" : '' 251 | t = HTMLTable::Table.new( 252 | 'Columns' => columns, 253 | 'Header' => a.name + interface 254 | ) 255 | a.ruleset.each do |r| 256 | # Do not display the protocol column for SonicWALLs 257 | if type == 'SonicOS' 258 | t.rows << [r.num, r.enabled, r.source, r.dest, r.action, r.service] 259 | else 260 | t.rows << [r.num, r.enabled, r.protocol, r.source, r.dest, r.action, r.service] 261 | end 262 | end 263 | 264 | h << t.to_html 265 | end 266 | 267 | h << "
\n" 268 | end 269 | 270 | return h 271 | end 272 | 273 | #------------------------------------------------------------------------- 274 | # Professional Functionality 275 | #------------------------------------------------------------------------- 276 | 277 | ## 278 | # Input: A hash of name/IP pairs 279 | # 280 | # Output: A string containing an HTML representation of the list of host 281 | # names. 282 | def host_names_to_html(host_names) 283 | vprint_status("Writing host names to HTML.") 284 | h = '' 285 | 286 | unless host_names.empty? 287 | h << "
\n" 288 | h << "

Host Names

\n" 289 | 290 | t = HTMLTable::Table.new( 291 | 'Columns' => ['Host Name', 'IP Address'] 292 | ) 293 | 294 | host_names.each do |name, ip| 295 | print_debug("Host Name: #{name} - #{ip}") 296 | t.rows << [name, ip] 297 | end 298 | 299 | h << t.to_html 300 | h << "
\n" 301 | end 302 | 303 | return h 304 | end 305 | 306 | ## 307 | # Input: A list of FWConfig::NetworkName objects 308 | # 309 | # Output: A string containing an HTML representation of the list of 310 | # network names. 311 | def network_names_to_html(network_names) 312 | vprint_status("Writing network names to HTML.") 313 | h = '' 314 | 315 | unless network_names.empty? 316 | h << "
\n" 317 | h << "

Network Names

\n" 318 | 319 | network_names.each do |n| 320 | if n.hosts.empty? then next end 321 | t = HTMLTable::Table.new( 322 | 'Columns' => [n.name] 323 | ) 324 | n.hosts.each do |host| 325 | print_debug("Network Name: #{host}") 326 | t.rows << [host] 327 | end 328 | h << t.to_html 329 | end 330 | 331 | h << "
\n" 332 | 333 | end 334 | 335 | return h 336 | end 337 | 338 | ## 339 | # Input: A list of FWConfig::ServiceName objects 340 | # 341 | # Output: A string containing an HTML representation of the list of 342 | # service names. 343 | def service_names_to_html(service_names) 344 | vprint_status("Writing service names to HTML.") 345 | h = '' 346 | 347 | unless service_names.empty? 348 | h << "
\n" 349 | h << "

Service Names

\n" 350 | 351 | service_names.each do |s| 352 | if s.ports.empty? then next end 353 | t = HTMLTable::Table.new( 354 | 'Columns' => [s.name] 355 | ) 356 | print_debug("Service Name: #{s.name}") 357 | s.ports.each do |p| 358 | print_debug("Port: #{p}") 359 | t.rows << [p] 360 | end 361 | h << t.to_html 362 | end 363 | 364 | h << "
\n" 365 | end 366 | 367 | return h 368 | end 369 | 370 | 371 | end 372 | 373 | end 374 | -------------------------------------------------------------------------------- /lib/common/config.rb: -------------------------------------------------------------------------------- 1 | module FWConfig 2 | 3 | ## 4 | # Class to hold a firewall configuration. 5 | # 6 | # @name - firewall name 7 | # @firmware - firmware version 8 | # @type - firewall type, ASA, PIX, SonicWALL, etc 9 | # @access_lists - an array of AccessList objects 10 | # @interfaces - a list of Interface objects 11 | # @host_names - a Hash of name/IP pairs 12 | # @service_names - a list of ServiceName objects 13 | # @network_names - a list of NetworkName objects 14 | # rule_count - number of rules found 15 | # acl_count - number of acl entries found 16 | # int_count - number of interfaces found 17 | # ints_up - number of interfaces that are up 18 | class FirewallConfig 19 | attr_accessor :name, :firmware, :type, :access_lists, :interfaces 20 | attr_accessor :host_names, :service_names, :network_names 21 | 22 | def initialize 23 | @name = nil 24 | @firmware = nil 25 | @type = nil 26 | @access_lists = Array.new 27 | @interfaces = Array.new 28 | @host_names = Hash.new 29 | @service_names = Array.new 30 | @network_names = Array.new 31 | end 32 | 33 | ## 34 | # The parser is expected to set @type to 'ASA', 'PIX', 'EC2', or 35 | # 'SonicOS'. Anything else raises an error. 36 | def type=(input) 37 | if ['ASA', 'PIX', 'SonicOS', 'EC2'].include?(input) 38 | @type = input 39 | else 40 | raise ParseError.new("Invalid input for FWConfig::Firewall.type: #{input}") 41 | end 42 | end 43 | 44 | ## 45 | # Count the number of rules identified and return the count 46 | def rule_count 47 | rc = 0 48 | @access_lists.each do |acl| 49 | rc += acl.ruleset.length 50 | end 51 | 52 | return rc 53 | end 54 | 55 | ## 56 | # Count the number of ACLs identified and return the count 57 | def acl_count 58 | return @access_lists.length 59 | end 60 | 61 | ## 62 | # Count the number of interfaces and return the count 63 | def int_count 64 | return @interfaces.length 65 | end 66 | 67 | ## 68 | # Count the number of interfaces that are up and return the count 69 | def ints_up 70 | up = 0 71 | @interfaces.each do |i| 72 | if i.status == 'Up' then up += 1 end 73 | end 74 | 75 | return up 76 | end 77 | 78 | ## 79 | # Return true if @service_names includes name 80 | def service?(sname) 81 | @service_names.each do |sn| 82 | if sn.name == sname then return true end 83 | end 84 | return false 85 | end 86 | 87 | ## 88 | # Return true if @network_names includes name 89 | def network?(nname) 90 | @network_names.each do |nn| 91 | if nn.name == nname then return true end 92 | end 93 | return false 94 | end 95 | end 96 | 97 | 98 | ## 99 | # Class to hold access lists. 100 | # 101 | # @name - the name of the access list 102 | # @interface - the name of the interface the access list applies to 103 | # @ruleset - a list of Rule objects 104 | class AccessList 105 | attr_accessor :name, :interface, :ruleset 106 | 107 | def initialize(name) 108 | @name = name 109 | @interface = nil 110 | @ruleset = Array.new 111 | end 112 | end 113 | 114 | 115 | ## 116 | # Class to hold service names. 117 | # 118 | # @name - the name of the service 119 | # @protocol - the protocol associated with the services 120 | # @ports - a list of strings representing ports or port ranges 121 | # associated with the service. 122 | class ServiceName 123 | attr_accessor :name, :protocol, :ports 124 | 125 | def initialize(name) 126 | @name = name 127 | @protocol = nil 128 | @ports = Array.new 129 | end 130 | 131 | end 132 | 133 | 134 | ## 135 | # Class to hold network names. 136 | # 137 | # @name - the name of the network 138 | # @hosts - a list of strings representing the hosts associated with the 139 | # network name. 140 | class NetworkName 141 | attr_accessor :name, :hosts 142 | 143 | def initialize(name) 144 | @name = name 145 | @hosts = Array.new 146 | end 147 | 148 | end 149 | 150 | 151 | ## 152 | # Class to hold the interfaces. 153 | # 154 | # @name - the name of the interface or the IP address if no name is 155 | # defined. 156 | # @ip - the IP address for the interface 157 | # @mask - the subnet mask for the interface 158 | # @status - is the interface up or down 159 | # @external - is this an external interface 160 | # @http - is HTTP management accessible on this interface 161 | # @https - is HTTPS managment accessible on this interface 162 | # @ssh - is SSH management accessible on this interface 163 | # @telnet - is Telnet management accessible on this interface 164 | class Interface 165 | attr_accessor :name, :ip, :mask, :status, :external 166 | attr_accessor :http, :https, :ssh, :telnet 167 | 168 | def initialize(name) 169 | @name = name 170 | @ip = ' ' 171 | @mask = ' ' 172 | @status = 'Up' 173 | @external = false 174 | @http = false 175 | @https = false 176 | @ssh = false 177 | @telnet = false 178 | end 179 | 180 | ## 181 | # Confirm the input string is in the form of an IP address. If not 182 | # raise a parse error. 183 | def ip=(input) 184 | if input == 'dhcp' 185 | @ip = input 186 | else 187 | if is_ip?(input) 188 | @ip = input 189 | else 190 | raise ParseError.new("Invalid input for FWConfig::Interface.ip: #{input}") 191 | end 192 | end 193 | end 194 | 195 | ## 196 | # Confirm the input string is in the form of a subnet mask. If not 197 | # raise a parse error. 198 | def mask=(input) 199 | if input == 'setroute' 200 | @mask = input 201 | else 202 | if is_mask?(input) 203 | @mask = input 204 | else 205 | raise ParseError.new("Invalid input for FWConfig::Interface.mask: #{input}") 206 | end 207 | end 208 | end 209 | 210 | ## 211 | # The parser is expected to set @status to 'Up' or 'Down'. Anything 212 | # else raises an error. 213 | def status=(input) 214 | if ((input == 'Up') || (input == 'Down')) 215 | @status = input 216 | else 217 | raise ParseError.new("Invalid input for FWConfig::Interface.status: #{input}") 218 | end 219 | end 220 | 221 | # Accessor methods for @http 222 | 223 | ## 224 | # Returns @http, which is true or false. 225 | def http? 226 | return @http 227 | end 228 | 229 | ## 230 | # @http is set to true or false but Yes or No is needed for the report. 231 | # Return the appropriate response based on the value of @http. 232 | def http 233 | return @http ? 'Yes' : 'No' 234 | end 235 | 236 | ## 237 | # The parser is expected to set @http to true or false. Anything else 238 | # raises an error. 239 | def http=(input) 240 | if (input.is_a?(TrueClass) || input.is_a?(FalseClass)) 241 | @http = input 242 | else 243 | raise ParseError.new("Invalid input for FWConfig::Interface.http: #{input}") 244 | end 245 | end 246 | 247 | # Accessor methods for @https 248 | 249 | ## 250 | # Returns @https, which is true or false. 251 | def https? 252 | return @https 253 | end 254 | 255 | ## 256 | # @https is set to true or false but Yes or No is needed for the 257 | # report. Return the appropriate response based on the value of 258 | # @https. 259 | def https 260 | return @https ? 'Yes' : 'No' 261 | end 262 | 263 | ## 264 | # The parser is expected to set @https to true or false. Anything else 265 | # raises an error. 266 | def https=(input) 267 | if (input.is_a?(TrueClass) || input.is_a?(FalseClass)) 268 | @https = input 269 | else 270 | raise ParseError.new("Invalid input for FWConfig::Interface.https: #{input}") 271 | end 272 | end 273 | 274 | # Accessor methods for @ssh 275 | 276 | ## 277 | # Returns @ssh, which is true or false. 278 | def ssh? 279 | return @ssh 280 | end 281 | 282 | ## 283 | # @ssh is set to true or false but Yes or No is needed for the report. 284 | # Return the appropriate response based on the value of @ssh. 285 | def ssh 286 | return @ssh ? 'Yes' : 'No' 287 | end 288 | 289 | ## 290 | # The parser is expected to set @ssh to true or false. Anything else 291 | # raises an error. 292 | def ssh=(input) 293 | if (input.is_a?(TrueClass) || input.is_a?(FalseClass)) 294 | @ssh = input 295 | else 296 | raise ParseError.new("Invalid input for FWConfig::Interface.ssh: #{input}") 297 | end 298 | end 299 | 300 | # Accessor methods for @telnet 301 | 302 | ## 303 | # Returns @telnet, which is true or false. 304 | def telnet? 305 | return @telnet 306 | end 307 | 308 | ## 309 | # @telnet is set to true or false but Yes or No is needed for the 310 | # report. Return the appropriate response based on the value of 311 | # @telnet. 312 | def telnet 313 | return @telnet ? 'Yes' : 'No' 314 | end 315 | 316 | ## 317 | # The parser is expected to set @telnet to true or false. Anything 318 | # else raises an error. 319 | def telnet=(input) 320 | if (input.is_a?(TrueClass) || input.is_a?(FalseClass)) 321 | @telnet = input 322 | else 323 | raise ParseError.new("Invalid input for FWConfig::Interface.telnet: #{input}") 324 | end 325 | end 326 | 327 | # Accessor methods for @external 328 | 329 | ## 330 | # Returns @external, which is true or false. 331 | def external? 332 | return @external 333 | end 334 | 335 | ## 336 | # The parser is expected to set @external to true or false. Anything 337 | # else raises an error. 338 | def external=(input) 339 | if (input.is_a?(TrueClass) || input.is_a?(FalseClass)) 340 | @external = input 341 | else 342 | raise ParseError.new("Invalid input for FWConfig::Interface.external: #{input}") 343 | end 344 | end 345 | 346 | end 347 | 348 | ## 349 | # Class to hold the rules. 350 | # 351 | # @num - id number for the rule 352 | # @enabled - is the rule enalbed 353 | # @protocol - what protocol is in use in the rule 354 | # @source - source IP address, host, network, etc 355 | # @dest - destination IP address, host, network, etc 356 | # @action - Allow or Deny 357 | # @service - which services does the rule govern 358 | # @comment - any comments or remarks associated with the rule. 359 | class Rule 360 | attr_accessor :num, :enabled, :protocol, :source 361 | attr_accessor :dest, :action, :service, :comment 362 | 363 | def initialize(num) 364 | @num = num 365 | @enabled = false 366 | @protocol = '' 367 | @source = '' 368 | @dest = '' 369 | @action = '' 370 | @service = '' 371 | @comment = nil 372 | end 373 | 374 | # Accessor methods for @enabled 375 | 376 | ## 377 | # Returns @enabled, which is true or false. 378 | def enabled? 379 | return @enabled 380 | end 381 | 382 | ## 383 | # @enabled is set to true or false but Yes or No is needed for the 384 | # report. Return the appropriate response based on the value of 385 | # @enabled. 386 | def enabled 387 | return @enabled ? 'Yes' : 'No' 388 | end 389 | 390 | ## 391 | # The parser is expected to set @enabled to true or false. Anything 392 | # else raises an error. 393 | def enabled=(input) 394 | if (input.is_a?(TrueClass) || input.is_a?(FalseClass)) 395 | @enabled = input 396 | else 397 | raise ParseError.new("Invalid input for FWConfig::Rule.enabled: #{input}") 398 | end 399 | end 400 | 401 | # Accessor methods for @allowed 402 | 403 | ## 404 | # Returns true or false based on whether @action is set to 'Allow'. 405 | def allowed? 406 | return @action == 'Allow' ? true : false 407 | end 408 | 409 | # Accessor methods for @action 410 | 411 | ## 412 | # The parser is expected to set @action to 'Allow' or 'Deny'. Anything 413 | # else raises an error. 414 | def action=(input) 415 | if ((input == 'Allow') || (input == 'Deny')) 416 | @action = input 417 | else 418 | raise ParseError.new("Invalid input for FWConfig::Rule.action: #{input}") 419 | end 420 | end 421 | 422 | # Accessor methods for @source 423 | 424 | ## 425 | # Check input to see if @source should be 'Any'. If so, then set 426 | # @source to 'Any', else set @source to the input value. 427 | def source=(input) 428 | if any?(input) 429 | @source = 'Any' 430 | else 431 | @source = input 432 | end 433 | end 434 | 435 | # Accessor methods for @dest 436 | 437 | ## 438 | # Check input to see if @dest should be 'Any'. If so, then set @dest 439 | # to 'Any', else set @dest to the input value. 440 | def dest=(input) 441 | if any?(input) 442 | @dest = 'Any' 443 | else 444 | @dest = input 445 | end 446 | end 447 | 448 | # Accessor methods for @service 449 | 450 | ## 451 | # Check input to see if @service should be 'Any'. If so, the set 452 | # @service to 'Any', else set @service to the input value. 453 | def service=(input) 454 | if any?(input) 455 | @service = 'Any' 456 | else 457 | @service = input 458 | end 459 | end 460 | 461 | protected 462 | 463 | ## 464 | # Input: a string 465 | # 466 | # Output: true or false 467 | # 468 | # Action: Check to see if the string is in the list of strings that 469 | # indicate an any value. Return true if the string is in the list and 470 | # false if it is not. 471 | def any?(str) 472 | return ['any', '0.0.0.0/0'].include?(str.downcase) 473 | end 474 | 475 | end 476 | 477 | end 478 | -------------------------------------------------------------------------------- /lib/parse/cisco.rb: -------------------------------------------------------------------------------- 1 | ## 2 | # Input: A plain-text Cisco ASA configuration file 3 | # 4 | # Output: A FWConfig::FirewallConfig object 5 | # 6 | # Action: Parse the config line by line and update the appropriate parts of 7 | # the FWConfig::Firewall object 8 | def parse_cisco_config(config) 9 | 10 | @fw = FWConfig::FirewallConfig.new 11 | 12 | parse_host_names(config) 13 | parse_network_service_objects(config) 14 | parse_access_lists(config) 15 | parse_settings(config) 16 | 17 | return @fw 18 | end 19 | 20 | def parse_settings(config) 21 | ## 22 | # Read through each line of the configuration file, use regex to identify 23 | # the relevant parts of the config file, and update the FWConfig::Firewall 24 | # object as necessary. 25 | config.each_line do |line| 26 | 27 | line.chomp! 28 | 29 | # Identify the host name 30 | if line =~ /^hostname (.*)$/ then @fw.name = $1 end 31 | 32 | # The same code is used to parse both ASA and PIX files but still need 33 | # to know the file type for reporting purposes. 34 | if line =~ /ASA Version (.*)$/ 35 | @fw.firmware = $1 36 | @fw.type = 'ASA' 37 | end 38 | 39 | if line =~ /PIX Version (.*)$/ 40 | @fw.firmware = $1 41 | @fw.type = 'PIX' 42 | end 43 | 44 | # Build a list of interfaces on the device. 45 | if line =~ /^interface (.*)/ then 46 | vprint_status("Processing interface #{$1}") 47 | @fw.interfaces << FWConfig::Interface.new($1) 48 | end 49 | interface = @fw.interfaces.last 50 | 51 | # Rename the interface if nameif is defined 52 | if line =~ /^ nameif ([a-zA-Z0-9\/]+)/ then 53 | interface.name = $1 54 | end 55 | 56 | # Get the IP address and mask for the interface 57 | if line =~ /^ ip address (.*)/ 58 | ip, mask = $1.split(" ") 59 | p ip 60 | puts ip 61 | case ip 62 | when /\d+\.\d+.\d+.\d+/ 63 | print_debug("Processing as ip") 64 | interface.ip = ip 65 | when 'dhcp' 66 | print_debug("Processing as 'debug'") 67 | interface.ip = ip 68 | else 69 | print_debug("Processing as hostname") 70 | interface.ip = @fw.host_names[ip] 71 | end 72 | 73 | interface.mask = mask 74 | end 75 | 76 | # Determine the status of the interface based on the shutdown command. 77 | if line =~ /^ shutdown/ 78 | interface.status = "Down" 79 | end 80 | 81 | # Determine if the interface is external based on security level 0. 82 | if line =~ /^ security-level (\d+)/ 83 | if $1 == 0 then interface.external = true end 84 | end 85 | 86 | # Determine which interfaces are running management protocols such as 87 | # http, ssh, and telnet. Have to loop through the interface names to 88 | # determine which interface the management protocol is running on. 89 | if line =~ /^http .*\s.*\s(.*)/ then 90 | vprint_status line 91 | @fw.interfaces.each do |int| 92 | if int.name == $1 then int.http = true end 93 | end 94 | end 95 | 96 | if line =~ /^ssh .*\s.*\s(.*)/ then 97 | vprint_status line 98 | @fw.interfaces.each do |int| 99 | if int.name == $1 then int.ssh = true end 100 | end 101 | end 102 | 103 | if line =~ /^telnet .*\s.*\s(.*)/ then 104 | vprint_status line 105 | @fw.interfaces.each do |int| 106 | if int.name == $1 then int.telnet = true end 107 | end 108 | end 109 | 110 | end 111 | 112 | end 113 | 114 | 115 | #----------------------------------------------------------------------------- 116 | # Additional methods needed for parsing the config file. 117 | #----------------------------------------------------------------------------- 118 | 119 | ## 120 | # Input: A FWConfig::FirewallConfig object and a firewall config file 121 | # 122 | # Output: A list of host names and IP addresses 123 | # 124 | # Action: Create a hash of hostname to IP address mappings 125 | def parse_host_names(config) 126 | config.each_line do |line| 127 | 128 | line.chomp! 129 | 130 | # Find host names in use 131 | if line =~ /^name (\d+\.\d+.\d+.\d+) (.*)/ 132 | @fw.host_names[parse_ip_name($2)] = $1 133 | end 134 | end 135 | end 136 | 137 | ## 138 | # Input: A FWConfig::FirewallConfig object and a firewall config file 139 | # 140 | # Output: A hash of network objects and a hash of service objects. 141 | # 142 | # Action: Parse the configuration file 143 | 144 | def parse_network_service_objects(config) 145 | ## 146 | # Both network objects and service objects can contain group objects, 147 | # which is confusing when parsing line by line because the group object 148 | # may get associated with a network object when it should have been 149 | # associated with a service object, or vice versa. This variable is used 150 | # to determine if we are processing a network object or a service object. 151 | process_network = false 152 | 153 | ## 154 | # Read through each line of the configuration file, use regex to identify 155 | # the relevant parts of the config file, and update the FWConfig::Firewall 156 | # object as necessary. 157 | config.each_line do |line| 158 | 159 | line.chomp! 160 | 161 | # HOW TO PROCESS THESE 162 | #object network CANON_PRINTER 163 | #host 192.168.0.26 164 | #object network Ventrilo_tcp 165 | #host 192.168.0.6 166 | #description Ventrilo Server 167 | #object network ventrilo_udp 168 | #host 192.168.0.6 169 | # 170 | 171 | # Build a list of NetworkName objects. In ASA versions prior to 7.x 172 | # Cisco identifies network names with the object-group network command. 173 | # Each object-group is made up of network-objects and group-objects. 174 | # In ASA version 8.x Cisco uses the object network command. 175 | if line =~ /object network (.*)/ 176 | vprint_status("Processing network group: " + $1) 177 | @fw.network_names << FWConfig::NetworkName.new($1) 178 | process_network = true 179 | end 180 | 181 | if line =~ /^ host (.*)/ 182 | vprint_status("Processing network object: " + $1) 183 | @fw.network_names.last.hosts << $1 184 | end 185 | 186 | if line =~ /object-group network (.*)/ 187 | vprint_status("Processing network group: " + $1) 188 | @fw.network_names << FWConfig::NetworkName.new($1) 189 | process_network = true 190 | end 191 | 192 | # Add the network-object information to the last NetworkName we found. 193 | if line =~ /^ network-object (.*)/ 194 | print_debug("Network Object: #{line}") 195 | network = $1 196 | if network =~ /host (.*)/ 197 | vprint_status("Processing network object: " + $1) 198 | @fw.network_names.last.hosts << $1 + "/32" 199 | else 200 | vprint_status("Processing network object: " + network) 201 | @fw.network_names.last.hosts << network 202 | end 203 | end 204 | 205 | # If we find a network object-group and we have a group-object then we 206 | # add it to the last NetworkName we found. 207 | if ((line =~ /^ group-object (.*)/) && (process_network)) 208 | vprint_status("Processing network group-object: " + $1) 209 | @fw.network_names.last.hosts << 'group ' + $1 210 | end 211 | 212 | # Build a list of ServiceName objects. Cisco identifies service names 213 | # with the object-group service command. Each object-group is made up 214 | # of service-objects, group-objects and port-objects. 215 | if line =~ /object-group service (.*)/ 216 | vprint_status("Processing service group: " + $1) 217 | name, protocol = parse_service_object($1) 218 | @fw.service_names << FWConfig::ServiceName.new(name) 219 | @fw.service_names.last.protocol = protocol 220 | process_network = false 221 | end 222 | 223 | # Add the service-object information to the last ServiceName we found. 224 | if line =~ /^ service-object (.*) (range|eq) (.*)/ 225 | vprint_status("Processing service object") 226 | protocol = $1 227 | ports = $3 228 | port = '' 229 | 230 | if $2 == 'range' 231 | port = "#{protocol} range #{ports}" 232 | else 233 | port = "#{protocol} #{ports}" 234 | end 235 | 236 | print_debug("Port: #{port}") 237 | @fw.service_names.last.ports << port 238 | end 239 | 240 | # if we are not processing a network-object the we are processing a 241 | # service-object and need to add the group-object information to the 242 | # last ServiceName we identified. 243 | if ((line =~ /^ group-object (.*)/) && (not process_network)) 244 | vprint_status("Processing service group-object: " + $1) 245 | @fw.service_names.last.ports << 'group ' + $1 246 | end 247 | 248 | # Add the port-object information to the last ServiceName found. The 249 | # protocol for the port-object is determined by the protocol of the 250 | # service object-group. 251 | if line =~ /^ port-object (eq|range) (.*)/ 252 | vprint_status("Processing port-object: ") 253 | protocol = @fw.service_names.last.protocol 254 | port = '' 255 | 256 | if $1 == 'range' 257 | port = "#{protocol} range #{$2}" 258 | else 259 | port = "#{protocol} #{$2}" 260 | end 261 | 262 | print_debug("Port: #{port}") 263 | @fw.service_names.last.ports << port 264 | end 265 | end 266 | end 267 | 268 | 269 | def parse_access_lists(config) 270 | config.each_line do |line| 271 | 272 | line.chomp! 273 | 274 | # Build a list of AccessList objects. Cisco gives the name of the 275 | # access-list on each line. If there are no AccessLists in the config 276 | # yet then this is a new AccessList object. If the name doesn't match 277 | # the name of the last AccessList object then this is a new 278 | # access-list. Otherwise we add the access-list information to the 279 | # last AccessList object. 280 | if line =~ /access-list .* inactive .*/ then next end 281 | if line =~ /access-list (.*) extended (.*)/ then 282 | if @fw.access_lists.last == nil 283 | vprint_status("Processing access list: " + $1) 284 | @fw.access_lists << FWConfig::AccessList.new($1) 285 | @fw.access_lists.last.ruleset << parse_rule(1, $2) 286 | elsif @fw.access_lists.last.name != $1 287 | vprint_status("Processing access list: " + $1) 288 | @fw.access_lists << FWConfig::AccessList.new($1) 289 | @fw.access_lists.last.ruleset << parse_rule(1, $2) 290 | else 291 | num = @fw.access_lists.last.ruleset.last.num + 1 292 | @fw.access_lists.last.ruleset << parse_rule(num, $2) 293 | end 294 | end 295 | 296 | # Use the access-group command to determine which access-lists are 297 | # applied to the interfaces. 298 | if line =~ /^access-group (.*)/ 299 | name, dir, int, int_name = $1.split(" ") 300 | vprint_status("Processing access-group: " + name) 301 | @fw.access_lists.each do |al| 302 | if al.name == name then al.interface = int_name end 303 | end 304 | end 305 | end 306 | end 307 | 308 | 309 | ## 310 | # Input: A space delimited string representing an access control entry (rule) 311 | # 312 | # Output: A Rule object 313 | # 314 | # Action: Create a new Rule object and set the properties. 315 | # 316 | # Note: Technically a rule can have both a source service and a destination 317 | # service. Currently only storing destination services because that is what 318 | # I see most often. Need to consider how to handle both. 319 | def parse_rule(id, string) 320 | rule = FWConfig::Rule.new(id) 321 | print_debug("Rule: #{string}") 322 | 323 | # By default the rule is enabled. 324 | rule.enabled = true 325 | 326 | rule_array = string.split(" ") 327 | rule.action = parse_action(rule_array.shift) 328 | rule.protocol, rule_array = parse_rule_protocol(rule_array) 329 | rule.source, rule_array = parse_rule_host(rule_array) 330 | 331 | # capture the source service but not sure what to do with it yet. 332 | if rule.protocol != 'icmp' 333 | source_service, rule_array = parse_rule_service(rule_array) 334 | end 335 | 336 | rule.dest, rule_array = parse_rule_host(rule_array) 337 | rule.service, rule_array = parse_rule_service(rule_array) 338 | 339 | # If the end of the rule includes the word 'inactive' then the rule is 340 | # disabled. 341 | if rule_array.include?('inactive') 342 | rule.enabled = false 343 | end 344 | 345 | print_debug("Enabled: #{rule.enabled}") 346 | 347 | return rule 348 | 349 | end 350 | 351 | ## 352 | # Input: A string 353 | # 354 | # Output: A string with either 'Deny' or 'Allow' 355 | def parse_action(str) 356 | action = 'Deny' 357 | if str == 'permit' then action = 'Allow' end 358 | 359 | print_debug("Action: #{action}") 360 | return action 361 | end 362 | 363 | ## 364 | # Input: An array containing a partial access control entry 365 | # 366 | # Output: A string with the protocol and an array with the rest of the rule 367 | # 368 | # Action: If the first entry in the array is object-group then the protocol 369 | # is a service object, otherwise the first entry is the protocol. 370 | def parse_rule_protocol(rule_array) 371 | str = rule_array.shift 372 | case str 373 | when nil 374 | protocol = '' 375 | when "object-group" 376 | protocol = rule_array.shift 377 | else 378 | protocol = str 379 | end 380 | 381 | print_debug("Protocol: #{protocol}") 382 | return protocol, rule_array 383 | end 384 | 385 | ## 386 | # Input: An array containing a partial access control entry 387 | # 388 | # Output: A string with the host and an array with the rest of the rule 389 | # 390 | # Action: If the first entry in the array is any then the host is "Any", if it 391 | # is host then the host is the next entry in the array and has a mask of /32, 392 | # if it is object-group then the host is a network object, otherwise it is the 393 | # the host and the next entry in the array is the subnet mask. 394 | def parse_rule_host(rule_array) 395 | str = rule_array.shift 396 | print_debug("Str: #{str}") 397 | case str 398 | when nil 399 | host = '' 400 | when "any" 401 | host = "Any" 402 | when "any4" 403 | host = "Any4" 404 | when "any6" 405 | host = "Any6" 406 | when "host" 407 | host = rule_array.shift + "/32" 408 | when "object-group" 409 | if @fw.network?(rule_array[0]) 410 | host = rule_array.shift 411 | else 412 | rule_array.unshift(str) 413 | host = 'Any' 414 | end 415 | when "object" 416 | if @fw.network?(rule_array[0]) 417 | host = rule_array.shift 418 | else 419 | rule_array.unshift(str) 420 | host = 'Any' 421 | end 422 | when /[0-9a-fA-F:]+\/[0-9]+/ 423 | host = str 424 | else 425 | host = str + "/" + rule_array.shift 426 | end 427 | 428 | print_debug("Host: #{host}") 429 | return host, rule_array 430 | end 431 | 432 | ## 433 | # Input: An array containing a partial access control entry 434 | # 435 | # Output: A string with the protocol and an array with the rest of the rule 436 | # 437 | # Action: If the first entry in the array is nil then we are at the end of the 438 | # rule and the service is "Any", if it is lt, gt, eq, neq or range then the 439 | # next entry in the array is the port but is modified by the operator, if it 440 | # is object-group then the service is a service name, otherwise the service is 441 | # "Any". 442 | def parse_rule_service(rule_array) 443 | str = rule_array.shift 444 | case str 445 | when nil 446 | service = 'Any' 447 | when "lt" 448 | service = '1 - ' + rule_array.shift 449 | when "gt" 450 | service = rule_array.shift + ' - 65535' 451 | when "eq" 452 | service = rule_array.shift 453 | when "neq" 454 | service = 'not ' + rule_array.shift 455 | when "range" 456 | service = rule_array.shift + " - " + rule_array.shift 457 | when "object-group" 458 | if @fw.service?(rule_array[0]) 459 | service = rule_array.shift 460 | else 461 | rule_array.unshift(str) 462 | service = 'Any' 463 | end 464 | else 465 | rule_array.unshift(str) 466 | service = 'Any' 467 | end 468 | 469 | print_debug("Service: #{service}") 470 | return service, rule_array 471 | end 472 | 473 | ## 474 | # Input: A string 475 | # 476 | # Output: A string with an IP address 477 | # 478 | # Action: A name entry has an optional description. We filter this out and 479 | # return only the IP address associated with the host name. 480 | def parse_ip_name(str) 481 | ip_name = str 482 | if str =~ /(.*) description (.*)/ 483 | ip_name = $1 484 | end 485 | 486 | print_debug("IP Address: #{ip_name}") 487 | return ip_name 488 | end 489 | 490 | ## 491 | # Input: A string 492 | # 493 | # Output: Two strings, one with the service name the other with the protocol 494 | # 495 | # Action: A service object can optionally define the protocol. If the protocol 496 | # is defined then we return it, otherwise we set th protocol to 'tcp' 497 | def parse_service_object(str) 498 | name = protocol = '' 499 | if str =~ /(.*) (tcp|udp|tcp-udp)$/ 500 | name = $1 501 | protocol = $2 502 | else 503 | name = str 504 | protocol = 'tcp' 505 | end 506 | 507 | print_debug("Name: #{name}") 508 | print_debug("Protocol: #{protocol}") 509 | return name, protocol 510 | 511 | end 512 | 513 | -------------------------------------------------------------------------------- /sample_configs/asa4.txt: -------------------------------------------------------------------------------- 1 | ASA Version 8.0(4) 2 | ! 3 | hostname vpn 4 | domain-name ugplus.dk 5 | enable password xx.xxxxxx.xxxxxx encrypted 6 | passwd xxxxxxxxxx.xxxxx encrypted 7 | names 8 | ! 9 | interface Vlan1 10 | nameif inside 11 | security-level 100 12 | ip address 192.168.50.1 255.255.0.0 13 | ospf cost 10 14 | ! 15 | interface Vlan2 16 | description Interface to ISP. 17 | nameif outside 18 | security-level 0 19 | ip address xx.xx.xx.xx 255.255.255.248 20 | ospf cost 10 21 | ! 22 | interface Vlan12 23 | nameif MPLS 24 | security-level 50 25 | ip address 172.17.11.234 255.255.255.252 26 | ! 27 | interface Ethernet0/0 28 | switchport access vlan 2 29 | ! 30 | interface Ethernet0/1 31 | ! 32 | interface Ethernet0/2 33 | switchport access vlan 12 34 | ! 35 | interface Ethernet0/3 36 | ! 37 | interface Ethernet0/4 38 | ! 39 | interface Ethernet0/5 40 | ! 41 | interface Ethernet0/6 42 | ! 43 | interface Ethernet0/7 44 | ! 45 | ftp mode passive 46 | clock timezone CEST 1 47 | clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00 48 | dns domain-lookup inside 49 | dns server-group DefaultDNS 50 | name-server 192.168.50.2 51 | name-server 192.168.47.250 52 | domain-name ugplus.dk 53 | same-security-traffic permit intra-interface 54 | object-group protocol TCPUDP 55 | protocol-object udp 56 | protocol-object tcp 57 | object-group service DM_INLINE_SERVICE_1 58 | service-object tcp eq 1701 59 | service-object tcp eq pptp 60 | service-object udp eq 1701 61 | object-group network DM_INLINE_NETWORK_1 62 | network-object 10.10.0.0 255.255.0.0 63 | network-object 10.11.0.0 255.255.0.0 64 | network-object 10.12.0.0 255.255.0.0 65 | network-object 10.13.0.0 255.255.0.0 66 | network-object 10.14.0.0 255.255.0.0 67 | object-group network DM_INLINE_NETWORK_3 68 | network-object 11.0.0.0 255.255.255.0 69 | network-object 172.16.0.0 255.255.0.0 70 | access-list employee_splitTunnelAcl_1 standard permit 192.168.0.0 255.255.0.0 71 | access-list inside_nat0_outbound remark MPLS til Odense Internal 72 | access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 10.10.0.0 255.255.0.0 73 | access-list inside_nat0_outbound remark MPLS til Odense Internal 74 | access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 10.11.0.0 255.255.0.0 75 | access-list inside_nat0_outbound remark MPLS til Odense Internal 76 | access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 10.12.0.0 255.255.0.0 77 | access-list inside_nat0_outbound remark MPLS til Odense Internal 78 | access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 10.13.0.0 255.255.0.0 79 | access-list inside_nat0_outbound remark MPLS til Odense Internal 80 | access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 10.14.0.0 255.255.0.0 81 | access-list inside_nat0_outbound remark MPLS til Odense Internal 82 | access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0 83 | access-list inside_nat0_outbound remark VPN til MPLS 84 | access-list inside_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_1 object-group DM_INLINE_NETWORK_3 85 | access-list inside_nat0_outbound remark VPN til Odense Internal 86 | access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 11.0.0.0 255.255.255.0 87 | access-list inside_nat0_outbound extended permit ip 192.168.32.0 255.255.224.0 172.16.1.0 255.255.255.0 88 | access-list inside_nat0_outbound extended permit ip 192.168.32.0 255.255.224.0 172.16.0.0 255.255.255.0 89 | access-list outside_access_in remark ICMP Ping 90 | access-list outside_access_in extended permit icmp any xx.xx.xxx.xx 255.255.255.248 91 | access-list outside_access_in remark Rene 92 | access-list outside_access_in extended permit tcp xx.xxx.xxx.xxx 255.255.255.248 xx.xx.xxx.xx 255.255.255.248 eq 3389 93 | access-list outside_access_in remark Cirque RDP til UGPLUS 94 | access-list outside_access_in extended permit tcp xx.xxx.xxx.x 255.255.255.248 xx.xx.xxx.xx 255.255.255.248 eq 3391 95 | access-list outside_access_in remark Cirque SIP 96 | access-list outside_access_in extended permit udp xx.xx.xxx.x 255.255.255.128 host xx.xx.xxx.xx range 6000 40000 97 | access-list outside_access_in remark Cirque SIP 98 | access-list outside_access_in extended permit udp xx.xx.xxx.x 255.255.255.128 host xx.xx.xxx.xx eq sip 99 | access-list outside_access_in remark HTTPS 100 | access-list outside_access_in extended permit tcp any xx.xx.xxx.xx 255.255.255.248 eq https 101 | access-list outside_access_in remark HTTP 102 | access-list outside_access_in extended permit tcp any xx.xx.xxx.xx 255.255.255.248 eq www 103 | access-list outside_access_in remark MYSQL 104 | access-list outside_access_in extended permit tcp any host xx.xx.xxx.xx eq 8080 105 | access-list outside_access_in remark HTTP 106 | access-list outside_access_in extended permit tcp any host xx.xx.xxx.xx eq www 107 | access-list outside_access_in remark ESET Admin 108 | access-list outside_access_in extended permit tcp any xx.xx.xxx.xx 255.255.255.248 eq 2222 109 | access-list outside_access_in remark SMTP til spam.ugplus.dk 110 | access-list outside_access_in extended permit tcp any xx.xx.xxx.xx 255.255.255.248 eq smtp 111 | access-list outside_access_in remark Exchange Client/serc Comm. / Exchange Admin 112 | access-list outside_access_in extended permit tcp any xx.xx.xxx.xx 255.255.255.248 eq 135 113 | access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any xx.xx.xxx.xx 255.255.255.248 inactive 114 | access-list employee_splitTunnelAcl standard permit 192.168.32.0 255.255.224.0 115 | access-list outside_1_cryptomap extended permit ip 192.168.32.0 255.255.224.0 172.16.0.0 255.255.255.0 116 | access-list inside_access_in remark Allow all local network traffic 117 | access-list inside_access_in extended permit ip any any log disable 118 | access-list MPLS_access_in extended permit ip 10.10.0.0 255.255.0.0 any 119 | access-list MPLS_access_in extended permit ip 10.11.0.0 255.255.0.0 any 120 | access-list MPLS_access_in remark Kolding 121 | access-list MPLS_access_in extended permit ip 10.12.0.0 255.255.0.0 any log disable 122 | access-list MPLS_access_in remark Vejle 123 | access-list MPLS_access_in extended permit ip 10.13.0.0 255.255.0.0 any log disable 124 | access-list MPLS_access_in extended permit ip 10.14.0.0 255.255.0.0 any 125 | access-list outside_2_cryptomap extended permit ip 192.168.32.0 255.255.224.0 172.16.1.0 255.255.255.0 126 | access-list outside_cryptomap extended permit ip 192.168.32.0 255.255.224.0 172.16.1.0 255.255.255.0 127 | pager lines 24 128 | logging enable 129 | logging asdm warnings 130 | no logging message 305012 131 | no logging message 305011 132 | no logging message 302015 133 | no logging message 302014 134 | no logging message 302013 135 | no logging message 302012 136 | no logging message 302016 137 | mtu inside 1500 138 | mtu outside 1500 139 | mtu MPLS 1500 140 | ip local pool VPN 11.0.0.1-11.0.0.200 mask 255.255.255.0 141 | no failover 142 | icmp unreachable rate-limit 1 burst-size 1 143 | asdm image disk0:/asdm-613.bin 144 | no asdm history enable 145 | arp timeout 14400 146 | global (outside) 1 interface 147 | global (MPLS) 1 interface 148 | nat (inside) 0 access-list inside_nat0_outbound 149 | nat (inside) 1 0.0.0.0 0.0.0.0 150 | nat (outside) 1 192.168.0.0 255.255.0.0 151 | nat (MPLS) 1 10.10.0.0 255.255.0.0 152 | nat (MPLS) 1 10.11.0.0 255.255.0.0 153 | nat (MPLS) 1 10.12.0.0 255.255.0.0 154 | nat (MPLS) 1 10.13.0.0 255.255.0.0 155 | nat (MPLS) 1 10.14.0.0 255.255.0.0 156 | static (inside,outside) tcp 80.72.148.27 3389 192.168.50.6 3389 netmask 255.255.255.255 157 | static (inside,outside) tcp 80.72.148.27 www 192.168.50.18 www netmask 255.255.255.255 158 | static (inside,outside) tcp 80.72.148.27 https 192.168.50.18 https netmask 255.255.255.255 159 | static (inside,outside) udp 80.72.148.27 6000 192.168.52.2 6000 netmask 255.255.255.255 160 | static (inside,outside) udp 80.72.148.27 sip 192.168.52.2 sip netmask 255.255.255.255 161 | static (inside,outside) tcp 80.72.148.28 135 192.168.46.3 135 netmask 255.255.255.255 162 | static (inside,outside) tcp 80.72.148.28 imap4 192.168.46.3 imap4 netmask 255.255.255.255 163 | static (inside,outside) tcp 80.72.148.28 pop3 192.168.46.3 pop3 netmask 255.255.255.255 164 | static (inside,outside) tcp 80.72.148.28 993 192.168.46.3 993 netmask 255.255.255.255 165 | static (inside,outside) tcp 80.72.148.28 102 192.168.46.3 102 netmask 255.255.255.255 166 | static (inside,outside) tcp 80.72.148.28 995 192.168.46.3 995 netmask 255.255.255.255 167 | static (inside,outside) tcp 80.72.148.28 nntp 192.168.46.3 nntp netmask 255.255.255.255 168 | static (inside,outside) tcp 80.72.148.28 563 192.168.46.3 563 netmask 255.255.255.255 169 | static (inside,outside) tcp 80.72.148.28 https 192.168.46.3 https netmask 255.255.255.255 170 | static (inside,outside) tcp 80.72.148.29 8080 192.168.47.240 3306 netmask 255.255.255.255 171 | static (inside,outside) tcp 80.72.148.29 www 192.168.47.240 www netmask 255.255.255.255 172 | static (inside,outside) tcp interface smtp 192.168.46.1 smtp netmask 255.255.255.255 173 | static (inside,outside) tcp interface 2222 192.168.50.2 2222 netmask 255.255.255.255 174 | static (inside,outside) tcp interface 3391 192.168.52.3 3389 netmask 255.255.255.255 175 | access-group inside_access_in in interface inside 176 | access-group outside_access_in in interface outside 177 | access-group MPLS_access_in in interface MPLS 178 | route outside 0.0.0.0 0.0.0.0 xx.xx.xxx.xx 1 179 | route MPLS 10.10.0.0 255.255.0.0 172.17.11.233 1 180 | route MPLS 10.11.0.0 255.255.0.0 172.17.11.233 1 181 | route MPLS 10.12.0.0 255.255.0.0 172.17.11.233 1 182 | route MPLS 10.13.0.0 255.255.0.0 172.17.11.233 1 183 | route MPLS 10.14.0.0 255.255.0.0 172.17.11.233 1 184 | timeout xlate 3:00:00 185 | timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 186 | timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 187 | timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 188 | timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute 189 | dynamic-access-policy-record DfltAccessPolicy 190 | aaa authentication ssh console LOCAL 191 | aaa authentication telnet console LOCAL 192 | http server enable 193 | http 192.168.50.0 255.255.255.0 inside 194 | no snmp-server location 195 | no snmp-server contact 196 | snmp-server enable traps snmp authentication linkup linkdown coldstart 197 | crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 198 | crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 199 | crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 200 | crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 201 | crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 202 | crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 203 | crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 204 | crypto ipsec transform-set zyxel esp-des esp-sha-hmac 205 | crypto ipsec transform-set TRANS_ESP_AES128_SHA esp-aes esp-sha-hmac 206 | crypto ipsec transform-set TRANS_ESP_AES128_SHA mode transport 207 | crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac 208 | crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport 209 | crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 210 | crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 211 | crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 212 | crypto ipsec security-association lifetime seconds 28800 213 | crypto ipsec security-association lifetime kilobytes 4608000 214 | crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs 215 | crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-3DES-SHA TRANS_ESP_3DES_SHA ESP-3DES-MD5 ESP-AES-256-SHA ESP-AES-128-SHA ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-MD5 ESP-DES-SHA ESP-DES-MD5 zyxel 216 | crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800 217 | crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000 218 | crypto dynamic-map London 3 match address outside_cryptomap 219 | crypto dynamic-map London 3 set pfs 220 | crypto dynamic-map London 3 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 221 | crypto dynamic-map London 3 set security-association lifetime seconds 28800 222 | crypto dynamic-map London 3 set security-association lifetime kilobytes 4608000 223 | crypto map outside_map 1 match address outside_1_cryptomap 224 | crypto map outside_map 1 set pfs 225 | crypto map outside_map 1 set peer xx.xxx.xxx.xx 226 | crypto map outside_map 1 set transform-set ESP-3DES-SHA 227 | crypto map outside_map 1 set security-association lifetime seconds 28800 228 | crypto map outside_map 1 set security-association lifetime kilobytes 4608000 229 | crypto map outside_map 2 match address outside_2_cryptomap 230 | crypto map outside_map 2 set pfs 231 | crypto map outside_map 2 set peer xx.xxx.xxx.xxx 232 | crypto map outside_map 2 set transform-set ESP-3DES-SHA 233 | crypto map outside_map 2 set security-association lifetime seconds 28800 234 | crypto map outside_map 2 set security-association lifetime kilobytes 4608000 235 | crypto map outside_map 3 ipsec-isakmp dynamic London 236 | crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP 237 | crypto map outside_map interface outside 238 | crypto ca trustpoint ASDM_TrustPoint0 239 | enrollment self 240 | subject-name CN=firewall 241 | crl configure 242 | crypto ca trustpoint ASDM_TrustPoint1 243 | enrollment self 244 | fqdn vpn.ugplus.dk 245 | subject-name CN=firewall 246 | serial-number 247 | keypair StrongRSA 248 | proxy-ldc-issuer 249 | crl configure 250 | crypto ca certificate chain ASDM_TrustPoint0 251 | certificate xxxxxxxxxx 252 | quit 253 | crypto ca certificate chain ASDM_TrustPoint1 254 | certificate xxxxxxxxxx 255 | quit 256 | crypto isakmp identity address 257 | crypto isakmp enable inside 258 | crypto isakmp enable outside 259 | crypto isakmp policy 50 260 | authentication pre-share 261 | encryption aes 262 | hash sha 263 | group 5 264 | lifetime 86400 265 | crypto isakmp policy 60 266 | authentication pre-share 267 | encryption des 268 | hash sha 269 | group 1 270 | lifetime 86400 271 | crypto isakmp policy 70 272 | authentication pre-share 273 | encryption 3des 274 | hash sha 275 | group 1 276 | lifetime 86400 277 | crypto isakmp policy 80 278 | authentication pre-share 279 | encryption 3des 280 | hash md5 281 | group 2 282 | lifetime 86400 283 | crypto isakmp policy 85 284 | authentication pre-share 285 | encryption aes 286 | hash sha 287 | group 2 288 | lifetime 86400 289 | crypto isakmp policy 105 290 | authentication pre-share 291 | encryption des 292 | hash md5 293 | group 1 294 | lifetime 86400 295 | crypto isakmp policy 125 296 | authentication pre-share 297 | encryption 3des 298 | hash sha 299 | group 2 300 | lifetime 86400 301 | crypto isakmp nat-traversal 60 302 | crypto isakmp disconnect-notify 303 | no vpn-addr-assign dhcp 304 | vpn-addr-assign local reuse-delay 5 305 | telnet 192.168.50.0 255.255.255.0 inside 306 | telnet timeout 5 307 | ssh xx.xx.xxx.xxx 255.255.255.255 outside 308 | ssh timeout 5 309 | ssh version 2 310 | console timeout 0 311 | management-access inside 312 | 313 | threat-detection basic-threat 314 | threat-detection statistics host 315 | threat-detection statistics port 316 | threat-detection statistics protocol 317 | threat-detection statistics access-list 318 | no threat-detection statistics tcp-intercept 319 | ntp server 193.162.159.194 source outside prefer 320 | ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1 des-sha1 321 | webvpn 322 | enable outside 323 | svc image disk0:/anyconnect-win-2.3.2016-k9.pkg 1 324 | svc image disk0:/anyconnect-macosx-i386-2.5.1025-k9.pkg 2 325 | svc enable 326 | tunnel-group-list enable 327 | group-policy DfltGrpPolicy attributes 328 | dns-server value 192.168.47.250 329 | vpn-simultaneous-logins 100 330 | vpn-idle-timeout none 331 | vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn 332 | default-domain value ugplus.dk 333 | split-dns value ugplus.dk terminal.dk 334 | ip-phone-bypass enable 335 | leap-bypass enable 336 | nem enable 337 | group-policy zyxel internal 338 | group-policy employee internal 339 | group-policy employee attributes 340 | dns-server value 192.168.47.250 341 | vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn 342 | split-tunnel-policy tunnelspecified 343 | split-tunnel-network-list none 344 | default-domain value ugplus.dk 345 | split-dns value ugplus.dk 346 | tunnel-group DefaultRAGroup general-attributes 347 | address-pool VPN 348 | authorization-server-group LOCAL 349 | tunnel-group DefaultRAGroup ipsec-attributes 350 | pre-shared-key * 351 | peer-id-validate nocheck 352 | isakmp keepalive disable 353 | tunnel-group DefaultRAGroup ppp-attributes 354 | authentication pap 355 | authentication ms-chap-v2 356 | authentication eap-proxy 357 | tunnel-group DefaultWEBVPNGroup general-attributes 358 | address-pool VPN 359 | default-group-policy employee 360 | tunnel-group DefaultWEBVPNGroup ipsec-attributes 361 | peer-id-validate nocheck 362 | tunnel-group DefaultWEBVPNGroup ppp-attributes 363 | authentication pap 364 | authentication ms-chap-v2 365 | authentication eap-proxy 366 | tunnel-group xx.xxx.xxx.xx type ipsec-l2l 367 | tunnel-group xx.xxx.xxx.xx ipsec-attributes 368 | pre-shared-key * 369 | peer-id-validate nocheck 370 | tunnel-group employee type remote-access 371 | tunnel-group employee general-attributes 372 | address-pool VPN 373 | default-group-policy employee 374 | tunnel-group employee ipsec-attributes 375 | pre-shared-key * 376 | peer-id-validate nocheck 377 | tunnel-group employee ppp-attributes 378 | authentication pap 379 | authentication ms-chap-v2 380 | authentication eap-proxy 381 | tunnel-group xx.xxx.xxx.xxx type ipsec-l2l 382 | tunnel-group xx.xxx.xxx.xxx ipsec-attributes 383 | pre-shared-key * 384 | peer-id-validate nocheck 385 | tunnel-group London type ipsec-l2l 386 | tunnel-group London ipsec-attributes 387 | pre-shared-key * 388 | peer-id-validate nocheck 389 | ! 390 | class-map inspection_default 391 | match default-inspection-traffic 392 | ! 393 | ! 394 | policy-map type inspect dns preset_dns_map 395 | parameters 396 | message-length maximum 512 397 | policy-map global_policy 398 | class inspection_default 399 | inspect dns preset_dns_map 400 | inspect ftp 401 | inspect h323 h225 402 | inspect h323 ras 403 | inspect rsh 404 | inspect rtsp 405 | inspect sqlnet 406 | inspect skinny 407 | inspect sunrpc 408 | inspect xdmcp 409 | inspect sip 410 | inspect netbios 411 | inspect tftp 412 | ! 413 | service-policy global_policy global 414 | prompt hostname context 415 | Cryptochecksum:5a5054c48874fc5a3d0b938c941c2ee7 416 | : end 417 | -------------------------------------------------------------------------------- /sample_configs/asa5.txt: -------------------------------------------------------------------------------- 1 | : Saved 2 | : 3 | ASA Version 8.4(4)1 4 | ! 5 | hostname asa 6 | domain-name securesub.net 7 | enable password XXX encrypted 8 | passwd XXX encrypted 9 | names 10 | name 192.168.0.11 DAN_NIX 11 | name 192.168.0.1 ASA_INSIDE 12 | ! 13 | interface Ethernet0/0 14 | switchport access vlan 2 15 | ! 16 | interface Ethernet0/1 17 | ! 18 | interface Ethernet0/2 19 | ! 20 | interface Ethernet0/3 21 | ! 22 | interface Ethernet0/4 23 | ! 24 | interface Ethernet0/5 25 | switchport monitor Ethernet0/0 26 | ! 27 | interface Ethernet0/6 28 | ! 29 | interface Ethernet0/7 30 | ! 31 | interface Vlan1 32 | description \\LAN Connection to Switch\\ 33 | nameif inside 34 | security-level 100 35 | ip address ASA_INSIDE 255.255.255.0 36 | ! 37 | interface Vlan2 38 | description //OUT TO FIOS/// 39 | nameif outside 40 | security-level 0 41 | ip address dhcp setroute 42 | ! 43 | boot system disk0:/asa844-1-k8.bin 44 | ftp mode passive 45 | clock timezone EST -5 46 | clock summer-time EDT recurring 47 | dns domain-lookup inside 48 | dns domain-lookup outside 49 | dns server-group DefaultDNS 50 | name-server 192.168.0.25 51 | name-server 4.2.2.2 52 | domain-name securesub.net 53 | same-security-traffic permit intra-interface 54 | object network INSIDE_LAN 55 | subnet 192.168.0.0 255.255.255.0 56 | object network CAFFEINATED-SSH 57 | host 192.168.0.22 58 | object network ASA_INSIDE 59 | host 192.168.0.1 60 | object network ASA-ASDM_SSLVPN 61 | host 192.168.0.1 62 | object network AnyConnect_VPN_USERS 63 | description Anyconnet VPN Range 64 | object network ANYCONNECT_VPN_USERS 65 | object network ANYCONNECT_VPN_POOL 66 | object network ANYCONNECT_VPN 67 | subnet 192.168.0.200 255.255.255.248 68 | object network EXCHANGE_SMTP(SSL) 69 | host 192.168.0.4 70 | object network Dans-Desktop 71 | host 192.168.0.10 72 | object network EXCHANGE_OWA 73 | host 192.168.0.4 74 | object network EXCHANGE_ACTIVESYNC 75 | host 192.168.0.4 76 | object network EXCHANGE_IMAP 77 | host 192.168.0.4 78 | object network EXCHANGE_SMTP 79 | host 192.168.0.4 80 | object network ESX_5_SERVER 81 | host 192.168.0.5 82 | description ESX5 Server 83 | object network DansDesktop 84 | host 192.168.0.10 85 | description DansDesktop 86 | object network RRAS 87 | host 192.168.0.4 88 | object network RDWeb_App 89 | host 192.168.0.4 90 | object network RRAS_L2TP_IKE 91 | host 192.168.0.4 92 | object network RRAS_L2TP_IPSEC 93 | host 192.168.0.4 94 | object network VPN-POOL 95 | host 192.168.0.200 96 | object network DD-WRT 97 | host 192.168.0.101 98 | object network SWITCH 99 | host 192.168.0.2 100 | object network ESX_MANAGEMENT 101 | host 192.168.0.3 102 | object network WDTV 103 | host 192.168.0.7 104 | object network FREENAS 105 | host 192.168.0.12 106 | object network CANON_PRINTER 107 | host 192.168.0.26 108 | object network Ventrilo_tcp 109 | host 192.168.0.6 110 | description Ventrilo Server 111 | object network ventrilo_udp 112 | host 192.168.0.6 113 | object network Vent_data_tcp 114 | host 192.168.0.6 115 | object network vent_data_udp 116 | host 192.168.0.6 117 | object network US.LOGON.BATTLE.NET 118 | host 12.129.206.130 119 | description Ysera 120 | object network YSERA 121 | host 199.107.6.199 122 | object network IIS_OWA 123 | host 192.168.0.4 124 | object service https 125 | service tcp source eq https destination eq https 126 | object network Minecraft 127 | host 192.168.0.22 128 | object network Media-Server 129 | host 192.168.0.6 130 | object service 6in4 131 | service 41 132 | object network ipv6_remote_endpoint 133 | host 216.66.22.2 134 | object network ipv6_local_endpoint 135 | host 192.168.0.25 136 | object network DNS_lookup 137 | host 192.168.0.25 138 | object network DNS_transfer 139 | host 192.168.0.25 140 | object-group network obj-192.168.0.0 141 | object-group service metasploit_range tcp 142 | port-object range 4444 4454 143 | object-group protocol TCPUDP 144 | protocol-object udp 145 | protocol-object tcp 146 | object-group network INTERNAL_ONLY_DEVICES 147 | network-object object CANON_PRINTER 148 | network-object object DD-WRT 149 | network-object object ESX_5_SERVER 150 | network-object object ESX_MANAGEMENT 151 | network-object object FREENAS 152 | network-object object SWITCH 153 | network-object object WDTV 154 | object-group service Vent tcp-udp 155 | port-object eq 6011 156 | port-object eq 3784 157 | object-group service World_of_Warcraft tcp 158 | port-object eq 3724 159 | port-object eq 6112 160 | port-object range 6881 6999 161 | object-group network Ventrilo 162 | network-object object Vent_data_tcp 163 | network-object object vent_data_udp 164 | network-object object Ventrilo_tcp 165 | network-object object ventrilo_udp 166 | object-group service Battlenet_login tcp 167 | port-object eq 1119 168 | object-group service irc_ports tcp 169 | port-object eq 8001 170 | object-group service minecraft tcp 171 | port-object eq 25565 172 | object-group service Vent_3784 tcp 173 | port-object eq 3784 174 | object-group service Vent_3784_udp udp 175 | port-object eq 3784 176 | access-list outside_access_in extended permit tcp any object CAFFEINATED-SSH eq ssh 177 | access-list outside_access_in extended permit tcp any object ASA_INSIDE eq 8080 178 | access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.0.0 255.255.255.0 179 | access-list ALLOWED_FROM_OUTSIDE extended permit ip 192.168.0.0 255.255.255.0 object ANYCONNECT_VPN 180 | access-list ALLOWED_FROM_OUTSIDE extended permit object-group TCPUDP any object CAFFEINATED-SSH object-group Vent log emergencies 181 | access-list ALLOWED_FROM_OUTSIDE extended permit tcp any object DansDesktop eq 64620 182 | access-list ALLOWED_FROM_OUTSIDE extended permit tcp any object EXCHANGE_ACTIVESYNC eq www 183 | access-list ALLOWED_FROM_OUTSIDE extended permit tcp any object RDWeb_App eq 3389 184 | access-list ALLOWED_FROM_OUTSIDE extended permit tcp any object EXCHANGE_OWA eq https 185 | access-list ALLOWED_FROM_OUTSIDE extended permit tcp any object EXCHANGE_SMTP(SSL) eq 587 186 | access-list ALLOWED_FROM_OUTSIDE extended permit tcp any object CAFFEINATED-SSH eq ssh 187 | access-list ALLOWED_FROM_OUTSIDE extended permit tcp any object ASA-ASDM_SSLVPN eq www 188 | access-list ALLOWED_FROM_OUTSIDE extended permit tcp any object EXCHANGE_IMAP eq 993 189 | access-list ALLOWED_FROM_OUTSIDE extended permit tcp any object EXCHANGE_SMTP eq smtp 190 | access-list ALLOWED_FROM_OUTSIDE extended permit tcp any object RRAS eq pptp 191 | access-list ALLOWED_FROM_OUTSIDE extended permit gre any object RRAS 192 | access-list outside_access_in_1 extended permit ip any any 193 | access-list outside_access_in_1 extended permit 41 any any 194 | access-list inside_access_in_1 extended permit 41 any any 195 | access-list inside_access_in_1 extended permit ip any any 196 | access-list global_access extended permit icmp any any echo 197 | access-list global_access extended permit icmp any any echo-reply 198 | access-list global_access extended permit tcp any object US.LOGON.BATTLE.NET object-group Battlenet_login log emergencies 199 | access-list global_access extended permit tcp any any object-group World_of_Warcraft log emergencies 200 | access-list global_access extended permit tcp any any eq 8001 log emergencies 201 | access-list global_access extended deny tcp any any eq finger 202 | access-list global_access extended deny ip object-group INTERNAL_ONLY_DEVICES interface outside 203 | access-list global_access extended permit ip 192.168.0.0 255.255.255.0 any 204 | access-list global_access extended permit tcp any object Dans-Desktop eq 64620 205 | access-list global_access extended permit object-group TCPUDP any object DNS_lookup eq domain 206 | access-list global_access extended permit tcp any object Media-Server eq 64621 207 | access-list global_access extended permit tcp any object EXCHANGE_ACTIVESYNC eq www 208 | access-list global_access extended permit tcp any object RDWeb_App eq 3389 209 | access-list global_access extended permit tcp any object EXCHANGE_SMTP(SSL) eq 587 210 | access-list global_access extended permit tcp any object CAFFEINATED-SSH eq ssh 211 | access-list global_access extended permit tcp any object ASA-ASDM_SSLVPN eq www 212 | access-list global_access extended permit tcp any object EXCHANGE_IMAP eq 993 213 | access-list global_access extended permit tcp any object EXCHANGE_SMTP eq smtp 214 | access-list global_access extended permit tcp any object RRAS eq pptp 215 | access-list global_access extended permit gre any object RRAS 216 | access-list global_access extended permit tcp any object EXCHANGE_OWA eq https 217 | access-list global_access extended permit tcp any object Minecraft object-group minecraft 218 | access-list global_access extended permit tcp any object Vent_data_tcp object-group Vent_3784 219 | access-list global_access extended permit udp any object vent_data_udp object-group Vent_3784_udp 220 | access-list BAH-PKI-LAB remark BAH-PKI-LAB ACCESS 221 | access-list BAH-PKI-LAB standard permit 10.100.60.0 255.255.255.0 222 | access-list BAH-PKI-LAB remark Vandyke WIFI 223 | access-list BAH-PKI-LAB standard permit 192.168.5.0 255.255.255.0 224 | access-list BAH-PKI-LAB remark BAH-PKI-LAB ACCESS 225 | access-list BAH-PKI-LAB remark Vandyke WIFI 226 | access-list inside_access_in extended permit ip any any 227 | access-list irc extended permit tcp any any eq 8001 log emergencies interval 1 228 | access-list irc extended permit tcp object CAFFEINATED-SSH any object-group irc_ports log debugging interval 10 229 | access-list ipv6tunnel extended permit object 6in4 object ipv6_remote_endpoint object ipv6_local_endpoint 230 | pager lines 24 231 | logging enable 232 | logging emblem 233 | logging console emergencies 234 | logging monitor emergencies 235 | logging buffered emergencies 236 | logging trap emergencies 237 | logging history emergencies 238 | logging asdm emergencies 239 | logging mail emergencies 240 | logging from-address asa@coffee.no-ip.info 241 | logging host inside 192.168.0.22 format emblem 242 | logging message 101001 level emergencies 243 | mtu inside 1500 244 | mtu outside 1500 245 | ip local pool VPN 192.168.0.200-192.168.0.205 mask 255.255.255.0 246 | ipv6 local pool SecuresubIPV6 2001:470:8:1044::100/64 10 247 | ipv6 access-list outside_access_ipv6_in permit icmp6 interface outside interface inside echo 248 | ipv6 access-list outside_access_ipv6_in permit icmp6 interface outside interface inside echo-reply 249 | no failover 250 | icmp unreachable rate-limit 1 burst-size 1 251 | asdm image disk0:/asdm-649-103.bin 252 | no asdm history enable 253 | arp timeout 14400 254 | nat (inside,outside) source static INSIDE_LAN INSIDE_LAN destination static ANYCONNECT_VPN ANYCONNECT_VPN 255 | nat (inside,outside) source static ipv6_local_endpoint interface destination static ipv6_remote_endpoint ipv6_remote_endpoint 256 | ! 257 | object network INSIDE_LAN 258 | nat (inside,outside) dynamic interface 259 | object network CAFFEINATED-SSH 260 | nat (inside,outside) static interface service tcp ssh ssh 261 | object network EXCHANGE_SMTP(SSL) 262 | nat (inside,outside) static interface service tcp 587 587 263 | object network EXCHANGE_OWA 264 | nat (inside,outside) static interface service tcp https https 265 | object network EXCHANGE_ACTIVESYNC 266 | nat (inside,outside) static interface service tcp www www 267 | object network EXCHANGE_IMAP 268 | nat (inside,outside) static interface service tcp 993 993 269 | object network EXCHANGE_SMTP 270 | nat (inside,outside) static interface service tcp smtp smtp 271 | object network DansDesktop 272 | nat (inside,outside) static interface service tcp 64620 64620 273 | object network RRAS 274 | nat (inside,outside) static interface service tcp pptp pptp 275 | object network RDWeb_App 276 | nat (inside,outside) static interface service tcp 3389 3389 277 | object network Ventrilo_tcp 278 | nat (any,outside) static interface service tcp 3784 3784 279 | object network ventrilo_udp 280 | nat (any,outside) static interface service udp 3784 3784 281 | object network Vent_data_tcp 282 | nat (any,outside) static interface service tcp 6011 6011 283 | object network vent_data_udp 284 | nat (any,outside) static interface service udp 6011 6011 285 | object network IIS_OWA 286 | nat (any,outside) static interface service tcp https https 287 | object network Minecraft 288 | nat (any,outside) static interface service tcp 25565 25565 289 | object network Media-Server 290 | nat (any,outside) static interface service tcp 64621 64621 291 | object network DNS_lookup 292 | nat (any,outside) static interface service tcp domain domain 293 | object network DNS_transfer 294 | nat (any,outside) static interface service udp domain domain 295 | ! 296 | nat (outside,outside) after-auto source dynamic ANYCONNECT_VPN interface 297 | access-group ipv6tunnel in interface outside 298 | access-group outside_access_ipv6_in in interface outside 299 | access-group global_access global 300 | timeout xlate 3:00:00 301 | timeout pat-xlate 0:00:30 302 | timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 303 | timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 304 | timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 305 | timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute 306 | timeout tcp-proxy-reassembly 0:01:00 307 | timeout floating-conn 0:00:00 308 | dynamic-access-policy-record DfltAccessPolicy 309 | user-identity default-domain LOCAL 310 | aaa authentication ssh console LOCAL 311 | http server enable 8080 312 | http server idle-timeout 10 313 | http 0.0.0.0 0.0.0.0 inside 314 | http 0.0.0.0 0.0.0.0 outside 315 | no snmp-server location 316 | no snmp-server contact 317 | snmp-server enable traps snmp authentication linkup linkdown coldstart 318 | crypto ipsec ikev2 ipsec-proposal AES256 319 | protocol esp encryption aes-256 320 | protocol esp integrity sha-1 md5 321 | crypto ipsec ikev2 ipsec-proposal AES192 322 | protocol esp encryption aes-192 323 | protocol esp integrity sha-1 md5 324 | crypto ipsec ikev2 ipsec-proposal AES 325 | protocol esp encryption aes 326 | protocol esp integrity sha-1 md5 327 | crypto ipsec ikev2 ipsec-proposal 3DES 328 | protocol esp encryption 3des 329 | protocol esp integrity sha-1 md5 330 | crypto ipsec ikev2 ipsec-proposal DES 331 | protocol esp encryption des 332 | protocol esp integrity sha-1 md5 333 | crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES 334 | crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP 335 | crypto map outside_map interface outside 336 | crypto ca trustpoint ASDM_TrustPoint1 337 | enrollment terminal 338 | crl configure 339 | crypto ca trustpoint securesub 340 | revocation-check ocsp 341 | keypair securesub 342 | ocsp url http://192.168.0.22:3502 343 | crl configure 344 | crypto ca certificate chain ASDM_TrustPoint1 345 | certificate ca XXXXX 346 | quit 347 | crypto ca certificate chain securesub 348 | certificate XXXXX 349 | quit 350 | crypto ikev2 policy 1 351 | encryption aes-256 352 | integrity sha 353 | group 5 354 | prf sha 355 | lifetime seconds 86400 356 | crypto ikev2 policy 10 357 | encryption aes-192 358 | integrity sha 359 | group 5 360 | prf sha 361 | lifetime seconds 86400 362 | crypto ikev2 policy 20 363 | encryption aes 364 | integrity sha 365 | group 5 366 | prf sha 367 | lifetime seconds 86400 368 | crypto ikev2 policy 30 369 | encryption 3des 370 | integrity sha 371 | group 5 372 | prf sha 373 | lifetime seconds 86400 374 | crypto ikev2 policy 40 375 | encryption des 376 | integrity sha 377 | group 5 378 | prf sha 379 | lifetime seconds 86400 380 | crypto ikev2 remote-access trustpoint securesub 381 | crypto ikev1 policy 10 382 | authentication pre-share 383 | encryption des 384 | hash sha 385 | group 2 386 | lifetime 86400 387 | telnet timeout 5 388 | ssh 192.168.0.0 255.255.255.0 inside 389 | ssh timeout 60 390 | ssh key-exchange group dh-group1-sha1 391 | console timeout 0 392 | management-access inside 393 | 394 | dhcpd auto_config outside 395 | ! 396 | dhcpd dns 129.250.35.250 129.250.35.251 interface inside 397 | ! 398 | threat-detection basic-threat 399 | threat-detection statistics 400 | threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200 401 | ssl trust-point securesub outside 402 | ssl trust-point securesub inside 403 | webvpn 404 | port 8080 405 | enable outside 406 | anyconnect-essentials 407 | anyconnect image disk0:/anyconnect-win-3.0.5080-k9.pkg 1 408 | anyconnect profiles coffee_anyconnect_client_profile disk0:/coffee_anyconnect_client_profile.xml 409 | anyconnect enable 410 | tunnel-group-list enable 411 | group-policy DefaultRAGroup internal 412 | group-policy DfltGrpPolicy attributes 413 | vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless 414 | group-policy GroupPolicy_coffee_anyconnect internal 415 | group-policy GroupPolicy_coffee_anyconnect attributes 416 | wins-server none 417 | dns-server value 192.168.0.25 4.2.2.2 418 | vpn-tunnel-protocol ikev2 ssl-client 419 | split-tunnel-policy excludespecified 420 | split-tunnel-network-list value BAH-PKI-LAB 421 | default-domain value securesub 422 | webvpn 423 | anyconnect keep-installer installed 424 | anyconnect ssl rekey time 30 425 | anyconnect ssl rekey method ssl 426 | anyconnect profiles value coffee_anyconnect_client_profile type user 427 | anyconnect ask enable default anyconnect timeout 5 428 | group-policy coffee_clientless internal 429 | group-policy coffee_clientless attributes 430 | vpn-tunnel-protocol ssl-clientless 431 | webvpn 432 | url-list value dans 433 | anyconnect ask none default anyconnect 434 | service-type remote-access 435 | username dano password XXXXXX encrypted privilege 15 436 | tunnel-group coffee_anyconnect type remote-access 437 | tunnel-group coffee_anyconnect general-attributes 438 | address-pool VPN 439 | ipv6-address-pool SecuresubIPV6 440 | default-group-policy GroupPolicy_coffee_anyconnect 441 | tunnel-group coffee_anyconnect webvpn-attributes 442 | authentication aaa certificate 443 | group-alias coffee_anyconnect disable 444 | group-alias securesub enable 445 | tunnel-group coffee_clientless type remote-access 446 | tunnel-group coffee_clientless general-attributes 447 | default-group-policy coffee_clientless 448 | ! 449 | class-map global-class 450 | match default-inspection-traffic 451 | class-map inspection_default 452 | match default-inspection-traffic 453 | ! 454 | ! 455 | policy-map type inspect dns preset_dns_map 456 | parameters 457 | message-length maximum 512 458 | policy-map FTPPOLICY 459 | class inspection_default 460 | inspect ftp 461 | policy-map global-policy 462 | class global-class 463 | inspect esmtp 464 | inspect ipsec-pass-thru 465 | ! 466 | service-policy global-policy global 467 | prompt hostname context 468 | no call-home reporting anonymous 469 | call-home 470 | profile CiscoTAC-1 471 | no active 472 | destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService 473 | destination address email callhome@cisco.com 474 | destination transport-method http 475 | subscribe-to-alert-group diagnostic 476 | subscribe-to-alert-group environment 477 | subscribe-to-alert-group inventory periodic monthly 478 | subscribe-to-alert-group configuration periodic monthly 479 | subscribe-to-alert-group telemetry periodic daily 480 | hpm topN enable 481 | Cryptochecksum:a92a6de1278b17f8c59b7af2be9e525e 482 | : end 483 | asdm image disk0:/asdm-649-103.bin 484 | no asdm history enable -------------------------------------------------------------------------------- /sample_configs/ipv6_test.txt: -------------------------------------------------------------------------------- 1 | : Saved 2 | : 3 | ASA Version 8.4(4)1 4 | ! 5 | hostname asa 6 | domain-name securesub.net 7 | enable password XXX encrypted 8 | passwd XXX encrypted 9 | names 10 | name 192.168.0.11 DAN_NIX 11 | name 192.168.0.1 ASA_INSIDE 12 | ! 13 | interface Ethernet0/0 14 | switchport access vlan 2 15 | ! 16 | interface Ethernet0/1 17 | ! 18 | interface Ethernet0/2 19 | ! 20 | interface Ethernet0/3 21 | ! 22 | interface Ethernet0/4 23 | ! 24 | interface Ethernet0/5 25 | switchport monitor Ethernet0/0 26 | ! 27 | interface Ethernet0/6 28 | ! 29 | interface Ethernet0/7 30 | ! 31 | interface Vlan1 32 | description \\LAN Connection to Switch\\ 33 | nameif inside 34 | security-level 100 35 | ip address ASA_INSIDE 255.255.255.0 36 | ! 37 | interface Vlan2 38 | description //OUT TO FIOS/// 39 | nameif outside 40 | security-level 0 41 | ip address dhcp setroute 42 | ! 43 | boot system disk0:/asa844-1-k8.bin 44 | ftp mode passive 45 | clock timezone EST -5 46 | clock summer-time EDT recurring 47 | dns domain-lookup inside 48 | dns domain-lookup outside 49 | dns server-group DefaultDNS 50 | name-server 192.168.0.25 51 | name-server 4.2.2.2 52 | domain-name securesub.net 53 | same-security-traffic permit intra-interface 54 | object network INSIDE_LAN 55 | subnet 192.168.0.0 255.255.255.0 56 | object network CAFFEINATED-SSH 57 | host 192.168.0.22 58 | object network ASA_INSIDE 59 | host 192.168.0.1 60 | object network ASA-ASDM_SSLVPN 61 | host 192.168.0.1 62 | object network AnyConnect_VPN_USERS 63 | description Anyconnet VPN Range 64 | object network ANYCONNECT_VPN_USERS 65 | object network ANYCONNECT_VPN_POOL 66 | object network ANYCONNECT_VPN 67 | subnet 192.168.0.200 255.255.255.248 68 | object network EXCHANGE_SMTP(SSL) 69 | host 192.168.0.4 70 | object network Dans-Desktop 71 | host 192.168.0.10 72 | object network EXCHANGE_OWA 73 | host 192.168.0.4 74 | object network EXCHANGE_ACTIVESYNC 75 | host 192.168.0.4 76 | object network EXCHANGE_IMAP 77 | host 192.168.0.4 78 | object network EXCHANGE_SMTP 79 | host 192.168.0.4 80 | object network ESX_5_SERVER 81 | host 192.168.0.5 82 | description ESX5 Server 83 | object network DansDesktop 84 | host 192.168.0.10 85 | description DansDesktop 86 | object network RRAS 87 | host 192.168.0.4 88 | object network RDWeb_App 89 | host 192.168.0.4 90 | object network RRAS_L2TP_IKE 91 | host 192.168.0.4 92 | object network RRAS_L2TP_IPSEC 93 | host 192.168.0.4 94 | object network VPN-POOL 95 | host 192.168.0.200 96 | object network DD-WRT 97 | host 192.168.0.101 98 | object network SWITCH 99 | host 192.168.0.2 100 | object network ESX_MANAGEMENT 101 | host 192.168.0.3 102 | object network WDTV 103 | host 192.168.0.7 104 | object network FREENAS 105 | host 192.168.0.12 106 | object network CANON_PRINTER 107 | host 192.168.0.26 108 | object network Ventrilo_tcp 109 | host 192.168.0.6 110 | description Ventrilo Server 111 | object network ventrilo_udp 112 | host 192.168.0.6 113 | object network Vent_data_tcp 114 | host 192.168.0.6 115 | object network vent_data_udp 116 | host 192.168.0.6 117 | object network US.LOGON.BATTLE.NET 118 | host 12.129.206.130 119 | description Ysera 120 | object network YSERA 121 | host 199.107.6.199 122 | object network IIS_OWA 123 | host 192.168.0.4 124 | object service https 125 | service tcp source eq https destination eq https 126 | object network Minecraft 127 | host 192.168.0.22 128 | object network Media-Server 129 | host 192.168.0.6 130 | object service 6in4 131 | service 41 132 | object network ipv6_remote_endpoint 133 | host 216.66.22.2 134 | object network ipv6_local_endpoint 135 | host 192.168.0.25 136 | object network DNS_lookup 137 | host 192.168.0.25 138 | object network DNS_transfer 139 | host 192.168.0.25 140 | object-group network obj-192.168.0.0 141 | object-group service metasploit_range tcp 142 | port-object range 4444 4454 143 | object-group protocol TCPUDP 144 | protocol-object udp 145 | protocol-object tcp 146 | object-group network INTERNAL_ONLY_DEVICES 147 | network-object object CANON_PRINTER 148 | network-object object DD-WRT 149 | network-object object ESX_5_SERVER 150 | network-object object ESX_MANAGEMENT 151 | network-object object FREENAS 152 | network-object object SWITCH 153 | network-object object WDTV 154 | object-group service Vent tcp-udp 155 | port-object eq 6011 156 | port-object eq 3784 157 | object-group service World_of_Warcraft tcp 158 | port-object eq 3724 159 | port-object eq 6112 160 | port-object range 6881 6999 161 | object-group network Ventrilo 162 | network-object object Vent_data_tcp 163 | network-object object vent_data_udp 164 | network-object object Ventrilo_tcp 165 | network-object object ventrilo_udp 166 | object-group service Battlenet_login tcp 167 | port-object eq 1119 168 | object-group service irc_ports tcp 169 | port-object eq 8001 170 | object-group service minecraft tcp 171 | port-object eq 25565 172 | object-group service Vent_3784 tcp 173 | port-object eq 3784 174 | object-group service Vent_3784_udp udp 175 | port-object eq 3784 176 | access-list outside_access_in extended permit tcp any object CAFFEINATED-SSH eq ssh 177 | access-list outside_access_in extended permit tcp any object ASA_INSIDE eq 8080 178 | access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.0.0 255.255.255.0 179 | access-list ALLOWED_FROM_OUTSIDE extended permit ip 192.168.0.0 255.255.255.0 object ANYCONNECT_VPN 180 | access-list ALLOWED_FROM_OUTSIDE extended permit object-group TCPUDP any object CAFFEINATED-SSH object-group Vent log emergencies 181 | access-list ALLOWED_FROM_OUTSIDE extended permit tcp any object DansDesktop eq 64620 182 | access-list ALLOWED_FROM_OUTSIDE extended permit tcp any object EXCHANGE_ACTIVESYNC eq www 183 | access-list ALLOWED_FROM_OUTSIDE extended permit tcp any object RDWeb_App eq 3389 184 | access-list ALLOWED_FROM_OUTSIDE extended permit tcp any object EXCHANGE_OWA eq https 185 | access-list ALLOWED_FROM_OUTSIDE extended permit tcp any object EXCHANGE_SMTP(SSL) eq 587 186 | access-list ALLOWED_FROM_OUTSIDE extended permit tcp any object CAFFEINATED-SSH eq ssh 187 | access-list ALLOWED_FROM_OUTSIDE extended permit tcp any object ASA-ASDM_SSLVPN eq www 188 | access-list ALLOWED_FROM_OUTSIDE extended permit tcp any object EXCHANGE_IMAP eq 993 189 | access-list ALLOWED_FROM_OUTSIDE extended permit tcp any object EXCHANGE_SMTP eq smtp 190 | access-list ALLOWED_FROM_OUTSIDE extended permit tcp any object RRAS eq pptp 191 | access-list ALLOWED_FROM_OUTSIDE extended permit gre any object RRAS 192 | access-list INSIDE_INBOUND extended deny ip ff00::/16 any6 log 193 | access-list guestwifidmz_access_in extended deny ip ff00::/16 any6 log 194 | access-list outside_access_in_1 extended permit ip any any 195 | access-list outside_access_in_1 extended permit 41 any any 196 | access-list inside_access_in_1 extended permit 41 any any 197 | access-list inside_access_in_1 extended permit ip any any 198 | access-list global_access extended permit icmp any any echo 199 | access-list global_access extended permit icmp any any echo-reply 200 | access-list global_access extended permit tcp any object US.LOGON.BATTLE.NET object-group Battlenet_login log emergencies 201 | access-list global_access extended permit tcp any any object-group World_of_Warcraft log emergencies 202 | access-list global_access extended permit tcp any any eq 8001 log emergencies 203 | access-list global_access extended deny tcp any any eq finger 204 | access-list global_access extended deny ip object-group INTERNAL_ONLY_DEVICES interface outside 205 | access-list global_access extended permit ip 192.168.0.0 255.255.255.0 any 206 | access-list global_access extended permit tcp any object Dans-Desktop eq 64620 207 | access-list global_access extended permit object-group TCPUDP any object DNS_lookup eq domain 208 | access-list global_access extended permit tcp any object Media-Server eq 64621 209 | access-list global_access extended permit tcp any object EXCHANGE_ACTIVESYNC eq www 210 | access-list global_access extended permit tcp any object RDWeb_App eq 3389 211 | access-list global_access extended permit tcp any object EXCHANGE_SMTP(SSL) eq 587 212 | access-list global_access extended permit tcp any object CAFFEINATED-SSH eq ssh 213 | access-list global_access extended permit tcp any object ASA-ASDM_SSLVPN eq www 214 | access-list global_access extended permit tcp any object EXCHANGE_IMAP eq 993 215 | access-list global_access extended permit tcp any object EXCHANGE_SMTP eq smtp 216 | access-list global_access extended permit tcp any object RRAS eq pptp 217 | access-list global_access extended permit gre any object RRAS 218 | access-list global_access extended permit tcp any object EXCHANGE_OWA eq https 219 | access-list global_access extended permit tcp any object Minecraft object-group minecraft 220 | access-list global_access extended permit tcp any object Vent_data_tcp object-group Vent_3784 221 | access-list global_access extended permit udp any object vent_data_udp object-group Vent_3784_udp 222 | access-list BAH-PKI-LAB remark BAH-PKI-LAB ACCESS 223 | access-list BAH-PKI-LAB standard permit 10.100.60.0 255.255.255.0 224 | access-list BAH-PKI-LAB remark Vandyke WIFI 225 | access-list BAH-PKI-LAB standard permit 192.168.5.0 255.255.255.0 226 | access-list BAH-PKI-LAB remark BAH-PKI-LAB ACCESS 227 | access-list BAH-PKI-LAB remark Vandyke WIFI 228 | access-list inside_access_in extended permit ip any any 229 | access-list irc extended permit tcp any any eq 8001 log emergencies interval 1 230 | access-list irc extended permit tcp object CAFFEINATED-SSH any object-group irc_ports log debugging interval 10 231 | access-list ipv6tunnel extended permit object 6in4 object ipv6_remote_endpoint object ipv6_local_endpoint 232 | pager lines 24 233 | logging enable 234 | logging emblem 235 | logging console emergencies 236 | logging monitor emergencies 237 | logging buffered emergencies 238 | logging trap emergencies 239 | logging history emergencies 240 | logging asdm emergencies 241 | logging mail emergencies 242 | logging from-address asa@coffee.no-ip.info 243 | logging host inside 192.168.0.22 format emblem 244 | logging message 101001 level emergencies 245 | mtu inside 1500 246 | mtu outside 1500 247 | ip local pool VPN 192.168.0.200-192.168.0.205 mask 255.255.255.0 248 | ipv6 local pool SecuresubIPV6 2001:470:8:1044::100/64 10 249 | ipv6 access-list outside_access_ipv6_in permit icmp6 interface outside interface inside echo 250 | ipv6 access-list outside_access_ipv6_in permit icmp6 interface outside interface inside echo-reply 251 | no failover 252 | icmp unreachable rate-limit 1 burst-size 1 253 | asdm image disk0:/asdm-649-103.bin 254 | no asdm history enable 255 | arp timeout 14400 256 | nat (inside,outside) source static INSIDE_LAN INSIDE_LAN destination static ANYCONNECT_VPN ANYCONNECT_VPN 257 | nat (inside,outside) source static ipv6_local_endpoint interface destination static ipv6_remote_endpoint ipv6_remote_endpoint 258 | ! 259 | object network INSIDE_LAN 260 | nat (inside,outside) dynamic interface 261 | object network CAFFEINATED-SSH 262 | nat (inside,outside) static interface service tcp ssh ssh 263 | object network EXCHANGE_SMTP(SSL) 264 | nat (inside,outside) static interface service tcp 587 587 265 | object network EXCHANGE_OWA 266 | nat (inside,outside) static interface service tcp https https 267 | object network EXCHANGE_ACTIVESYNC 268 | nat (inside,outside) static interface service tcp www www 269 | object network EXCHANGE_IMAP 270 | nat (inside,outside) static interface service tcp 993 993 271 | object network EXCHANGE_SMTP 272 | nat (inside,outside) static interface service tcp smtp smtp 273 | object network DansDesktop 274 | nat (inside,outside) static interface service tcp 64620 64620 275 | object network RRAS 276 | nat (inside,outside) static interface service tcp pptp pptp 277 | object network RDWeb_App 278 | nat (inside,outside) static interface service tcp 3389 3389 279 | object network Ventrilo_tcp 280 | nat (any,outside) static interface service tcp 3784 3784 281 | object network ventrilo_udp 282 | nat (any,outside) static interface service udp 3784 3784 283 | object network Vent_data_tcp 284 | nat (any,outside) static interface service tcp 6011 6011 285 | object network vent_data_udp 286 | nat (any,outside) static interface service udp 6011 6011 287 | object network IIS_OWA 288 | nat (any,outside) static interface service tcp https https 289 | object network Minecraft 290 | nat (any,outside) static interface service tcp 25565 25565 291 | object network Media-Server 292 | nat (any,outside) static interface service tcp 64621 64621 293 | object network DNS_lookup 294 | nat (any,outside) static interface service tcp domain domain 295 | object network DNS_transfer 296 | nat (any,outside) static interface service udp domain domain 297 | ! 298 | nat (outside,outside) after-auto source dynamic ANYCONNECT_VPN interface 299 | access-group ipv6tunnel in interface outside 300 | access-group outside_access_ipv6_in in interface outside 301 | access-group global_access global 302 | timeout xlate 3:00:00 303 | timeout pat-xlate 0:00:30 304 | timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 305 | timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 306 | timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 307 | timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute 308 | timeout tcp-proxy-reassembly 0:01:00 309 | timeout floating-conn 0:00:00 310 | dynamic-access-policy-record DfltAccessPolicy 311 | user-identity default-domain LOCAL 312 | aaa authentication ssh console LOCAL 313 | http server enable 8080 314 | http server idle-timeout 10 315 | http 0.0.0.0 0.0.0.0 inside 316 | http 0.0.0.0 0.0.0.0 outside 317 | no snmp-server location 318 | no snmp-server contact 319 | snmp-server enable traps snmp authentication linkup linkdown coldstart 320 | crypto ipsec ikev2 ipsec-proposal AES256 321 | protocol esp encryption aes-256 322 | protocol esp integrity sha-1 md5 323 | crypto ipsec ikev2 ipsec-proposal AES192 324 | protocol esp encryption aes-192 325 | protocol esp integrity sha-1 md5 326 | crypto ipsec ikev2 ipsec-proposal AES 327 | protocol esp encryption aes 328 | protocol esp integrity sha-1 md5 329 | crypto ipsec ikev2 ipsec-proposal 3DES 330 | protocol esp encryption 3des 331 | protocol esp integrity sha-1 md5 332 | crypto ipsec ikev2 ipsec-proposal DES 333 | protocol esp encryption des 334 | protocol esp integrity sha-1 md5 335 | crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES 336 | crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP 337 | crypto map outside_map interface outside 338 | crypto ca trustpoint ASDM_TrustPoint1 339 | enrollment terminal 340 | crl configure 341 | crypto ca trustpoint securesub 342 | revocation-check ocsp 343 | keypair securesub 344 | ocsp url http://192.168.0.22:3502 345 | crl configure 346 | crypto ca certificate chain ASDM_TrustPoint1 347 | certificate ca XXXXX 348 | quit 349 | crypto ca certificate chain securesub 350 | certificate XXXXX 351 | quit 352 | crypto ikev2 policy 1 353 | encryption aes-256 354 | integrity sha 355 | group 5 356 | prf sha 357 | lifetime seconds 86400 358 | crypto ikev2 policy 10 359 | encryption aes-192 360 | integrity sha 361 | group 5 362 | prf sha 363 | lifetime seconds 86400 364 | crypto ikev2 policy 20 365 | encryption aes 366 | integrity sha 367 | group 5 368 | prf sha 369 | lifetime seconds 86400 370 | crypto ikev2 policy 30 371 | encryption 3des 372 | integrity sha 373 | group 5 374 | prf sha 375 | lifetime seconds 86400 376 | crypto ikev2 policy 40 377 | encryption des 378 | integrity sha 379 | group 5 380 | prf sha 381 | lifetime seconds 86400 382 | crypto ikev2 remote-access trustpoint securesub 383 | crypto ikev1 policy 10 384 | authentication pre-share 385 | encryption des 386 | hash sha 387 | group 2 388 | lifetime 86400 389 | telnet timeout 5 390 | ssh 192.168.0.0 255.255.255.0 inside 391 | ssh timeout 60 392 | ssh key-exchange group dh-group1-sha1 393 | console timeout 0 394 | management-access inside 395 | 396 | dhcpd auto_config outside 397 | ! 398 | dhcpd dns 129.250.35.250 129.250.35.251 interface inside 399 | ! 400 | threat-detection basic-threat 401 | threat-detection statistics 402 | threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200 403 | ssl trust-point securesub outside 404 | ssl trust-point securesub inside 405 | webvpn 406 | port 8080 407 | enable outside 408 | anyconnect-essentials 409 | anyconnect image disk0:/anyconnect-win-3.0.5080-k9.pkg 1 410 | anyconnect profiles coffee_anyconnect_client_profile disk0:/coffee_anyconnect_client_profile.xml 411 | anyconnect enable 412 | tunnel-group-list enable 413 | group-policy DefaultRAGroup internal 414 | group-policy DfltGrpPolicy attributes 415 | vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless 416 | group-policy GroupPolicy_coffee_anyconnect internal 417 | group-policy GroupPolicy_coffee_anyconnect attributes 418 | wins-server none 419 | dns-server value 192.168.0.25 4.2.2.2 420 | vpn-tunnel-protocol ikev2 ssl-client 421 | split-tunnel-policy excludespecified 422 | split-tunnel-network-list value BAH-PKI-LAB 423 | default-domain value securesub 424 | webvpn 425 | anyconnect keep-installer installed 426 | anyconnect ssl rekey time 30 427 | anyconnect ssl rekey method ssl 428 | anyconnect profiles value coffee_anyconnect_client_profile type user 429 | anyconnect ask enable default anyconnect timeout 5 430 | group-policy coffee_clientless internal 431 | group-policy coffee_clientless attributes 432 | vpn-tunnel-protocol ssl-clientless 433 | webvpn 434 | url-list value dans 435 | anyconnect ask none default anyconnect 436 | service-type remote-access 437 | username dano password XXXXXX encrypted privilege 15 438 | tunnel-group coffee_anyconnect type remote-access 439 | tunnel-group coffee_anyconnect general-attributes 440 | address-pool VPN 441 | ipv6-address-pool SecuresubIPV6 442 | default-group-policy GroupPolicy_coffee_anyconnect 443 | tunnel-group coffee_anyconnect webvpn-attributes 444 | authentication aaa certificate 445 | group-alias coffee_anyconnect disable 446 | group-alias securesub enable 447 | tunnel-group coffee_clientless type remote-access 448 | tunnel-group coffee_clientless general-attributes 449 | default-group-policy coffee_clientless 450 | ! 451 | class-map global-class 452 | match default-inspection-traffic 453 | class-map inspection_default 454 | match default-inspection-traffic 455 | ! 456 | ! 457 | policy-map type inspect dns preset_dns_map 458 | parameters 459 | message-length maximum 512 460 | policy-map FTPPOLICY 461 | class inspection_default 462 | inspect ftp 463 | policy-map global-policy 464 | class global-class 465 | inspect esmtp 466 | inspect ipsec-pass-thru 467 | ! 468 | service-policy global-policy global 469 | prompt hostname context 470 | no call-home reporting anonymous 471 | call-home 472 | profile CiscoTAC-1 473 | no active 474 | destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService 475 | destination address email callhome@cisco.com 476 | destination transport-method http 477 | subscribe-to-alert-group diagnostic 478 | subscribe-to-alert-group environment 479 | subscribe-to-alert-group inventory periodic monthly 480 | subscribe-to-alert-group configuration periodic monthly 481 | subscribe-to-alert-group telemetry periodic daily 482 | hpm topN enable 483 | Cryptochecksum:a92a6de1278b17f8c59b7af2be9e525e 484 | : end 485 | asdm image disk0:/asdm-649-103.bin 486 | no asdm history enable -------------------------------------------------------------------------------- /sample_configs/asa1.txt: -------------------------------------------------------------------------------- 1 | : Saved 2 | : 3 | ASA Version 8.0(2) 4 | ! 5 | hostname pppfw01 6 | domain-name xyz.com 7 | enable password wewewewewewewe encrypted 8 | names 9 | name 192.168.84.79 collab.xyz.com_int 10 | name 192.168.84.74 lfo.xyz.biz_int 11 | name 192.168.84.2 secure.xyz.biz_int description careers.xyz.com, secure.xyz.biz 12 | name 192.168.84.33 www.xyz.com_dev_int 13 | name 192.168.84.202 folioMedia_int 14 | name 192.168.84.75 andrews_int 15 | name 192.168.84.94 atlas.xyz.com_int 16 | name 192.168.84.80 cata_int 17 | name 192.168.84.71 facebook_dev_int description also life demo 18 | name 192.168.84.35 mingle_int 19 | name 192.168.83.35 qphone_int description asterisk VOIP server 20 | name 192.168.84.91 rapReport_dev_int 21 | name 192.168.83.71 wopr.xyz.com_int 22 | name 220.5.222.103 folioMedia_ext 23 | name 220.5.222.104 andrews_ext 24 | name 220.5.222.105 atlas.xyz.com_ext 25 | name 220.5.222.106 cata_ext 26 | name 220.5.222.99 collab.xyz.com_ext 27 | name 220.5.222.107 facebook_dev_ext 28 | name 220.5.222.100 lfo.xyz.biz_ext 29 | name 220.5.222.109 mingle_ext 30 | name 220.5.222.111 rapReport_dev_ext 31 | name 220.5.222.101 secure.xyz.biz_ext 32 | name 220.5.222.102 www.xyz.com_dev_ext 33 | name 192.168.84.199 backup_test 34 | name 86.10.93.95 cata1 35 | name 87.5.13.226 cata2 36 | name 96.55.137.194 cata5 37 | name 46.223.6.85 cata6 38 | name 09.194.230.62 andrews_remote1 39 | name 192.168.84.211 NAL_build_int 40 | name 192.168.84.89 NAL_sharepoint_int 41 | name 192.168.84.93 iPhone_dev_int 42 | name 192.168.84.92 netflix_skunkworks_dev_int 43 | name 192.168.84.78 win2k_server_IE6 description for IE6 testing 44 | name 220.5.222.108 iPhone_dev_ext 45 | name 192.168.83.115 atoth_macbook_pro description temporary for IE6 testing 46 | name 192.168.83.250 Openfiler description Openfiler SAN File Access 47 | name 192.168.87.0 vpn description VPN network 48 | name 66.1.1.196 xo_dns_2 description XO DNS server 2 49 | name 192.168.84.250 openfiler01_dns_dmz description openfiler01 DNS resolver on .84net DMZ 50 | name 192.168.84.200 PM_staging_DB_server 51 | name 192.168.86.0 vpn_network description wired IPsec VPN 52 | name 220.5.222.115 vmdev_ext 53 | name 192.168.83.40 vmdev_int 54 | name 220.5.222.110 yovidportal_ext description yovid porrtal / router external 55 | name 192.168.84.161 yovidportal_int description yovid portal / router internal 56 | name 220.5.222.113 asterisknow_ext description AsteriskNow / FreePBX VOIP VM external 57 | name 192.168.84.162 asterisknow_int description AsteriskNow / FreePBX VOIP VM 58 | name 68.1.7.196 xo_dns_1 59 | name 72.43.165.29 folioMediaOfficeFirewall1 description PM office firewall 60 | name 192.168.83.34 switchvox1_int description VOIP server 61 | name 220.5.222.114 lifestg1_ext description life staging VM external 62 | name 192.168.84.70 lifestg1_int description life staging VM internal 63 | name 192.168.84.81 vmdmz01_int description vmware host 64 | name 192.168.88.0 Consultants_VPN_IP_Range description Offshore Consultants IP Range 65 | name 220.5.222.116 qphone_ext description qphone external 66 | name 220.5.222.117 FTPserver_ext description PFD FTP Server 67 | name 192.168.84.96 FTPserver_int description PFD FTP server and Switchvox backups 68 | name 71.40.6.4 life_White description tesat access for user 69 | name 220.5.222.118 switchvox1_ext description switchvox voip server 70 | name 98.226.156.222 djoya_home 71 | name 70.183.82.162 switchvox_tech_support description Switchvox technical support 72 | name 220.5.222.112 woprtasker_ext description WOPR and Tasker 73 | name 192.168.84.85 woprtasker_int description WOPR & Tasker 74 | name 216.24.42.112 life_Hawkins description life test access 75 | name 160.79.23.2 life_Gandhi description test access for user 76 | name 220.5.222.119 svnmail_ext description svnmail external for SMTP -temporary 77 | name 192.168.83.234 svnmail_int description PFD subversion server and SMTP relay 78 | name 88.111.222.150 xobot_firewall description xobot PFD firewall 79 | name 67.106.72.171 xoman description XO management server 80 | name 64.208.203.164 stunusa.yovid.com description yovid STUN server for VOIP 81 | name 192.168.85.0 wlan0_network description Wireless LAN on Cisco AiroNet 82 | name 98.100.78.97 floss_Firewall2 description floss gateway 83 | name 220.5.222.121 flossDev_ext description floss dev web server 84 | name 192.168.84.212 flossDev_int description floss dev web server 85 | name 220.5.222.120 flossTest_ext description floss test server 86 | name 192.168.84.226 flossTest_int description floss stress test server 87 | name 76.23.60.105 life_BlakeBishop description user access to test env 88 | name 75.150.249.160 life_TraceyStack description test access for user 89 | name 192.168.84.88 collab3.xyz.com_int description collab3 confluence jira on vmware esxi vm 90 | name 92.17.0.0 pfd_dsl_ext description xyzinder 91 | name 64.61.93.0 voicepulse_SIP_network1 description voicepulse_SIP_network1 92 | name 209.31.18.0 voicepulse_SIP_network2 description voicepulse_SIP_network2 93 | name 67.108.9.160 voicepulse_SIP_network3 description voicepulse_SIP_network3 94 | name 192.168.84.86 woprstaging_int description WOPR staging VM 95 | name 99.140.205.154 djoya_test 96 | name 220.5.222.123 yovidportalalpha_ext description yovid portal for life alpha environment external ip 97 | name 192.168.84.163 yovidportalalpha_int description yovid portal for life alpha environment 98 | name 67.163.14.68 alan_home 99 | name 220.5.222.124 life_alpha_ext description life Alpha App 100 | name 192.168.84.72 life_alpha_int description life Alpha app 101 | name 94.140.0.0 pfd_dsl2_ext description PFA AT&T DSL range 2 102 | name 192.168.84.165 asterisknow2_int description AsteriskNow2 / FreePBX VOIP VM 103 | name 220.5.222.125 asterisknow2_ext description AsteriskNow2 / FreePBX VOIP VM external 104 | ! 105 | interface Ethernet0/0 106 | description Internal 83 Network 107 | nameif Internal 108 | security-level 100 109 | ip address 192.168.83.1 255.255.255.0 110 | ! 111 | interface Ethernet0/1 112 | description DMZ Interface 113 | nameif DMZ0 114 | security-level 50 115 | ip address 192.168.84.1 255.255.255.0 116 | ! 117 | interface Ethernet0/2 118 | description Wireless LAN 85 network 119 | nameif wlan0 120 | security-level 75 121 | ip address 192.168.85.1 255.255.255.0 122 | ! 123 | interface Ethernet0/3 124 | description Internet 125 | duplex full 126 | nameif wan0 127 | security-level 0 128 | ip address 220.5.222.98 255.255.255.224 129 | ! 130 | interface Management0/0 131 | description ADSM Interface LAN 192.168.1.X 132 | nameif management 133 | security-level 100 134 | ip address 192.168.1.1 255.255.255.0 135 | management-only 136 | ! 137 | passwd xxxxxxxxxxxxxxxxx encrypted 138 | ftp mode passive 139 | clock timezone CST -6 140 | clock summer-time CDT recurring 141 | dns domain-lookup Internal 142 | dns domain-lookup wlan0 143 | dns domain-lookup wan0 144 | dns server-group DMZ_DNS 145 | name-server openfiler01_dns_dmz 146 | dns server-group DefaultDNS 147 | name-server 4.2.2.1 148 | name-server 4.2.2.2 149 | domain-name xyz.com 150 | dns server-group openfiler01 151 | name-server xo_dns_2 152 | name-server 208.67.222.222 153 | name-server 4.2.2.1 154 | name-server xo_dns_1 155 | domain-name xyz.com 156 | dns-group openfiler01 157 | same-security-traffic permit inter-interface 158 | same-security-traffic permit intra-interface 159 | object-group service All_services tcp-udp 160 | description All services 161 | port-object range 1 65535 162 | object-group service facebook tcp 163 | description facebook dev ports 164 | port-object range 3000 3010 165 | object-group network cata_access 166 | network-object host cata5 167 | network-object host cata2 168 | network-object host cata1 169 | network-object host cata6 170 | object-group service DM_INLINE_TCP_1 tcp 171 | group-object facebook 172 | port-object eq www 173 | object-group service livelinks_flex tcp 174 | port-object eq 8090 175 | object-group network andrews_remote 176 | network-object host cata2 177 | network-object host andrews_remote1 178 | object-group service DM_INLINE_TCP_2 tcp 179 | port-object eq www 180 | port-object eq https 181 | object-group service svn tcp 182 | description subversion 183 | port-object eq 3690 184 | object-group service Openfiler tcp-udp 185 | description Openfiler ports 137-139 & 445 186 | port-object eq 137 187 | port-object eq 138 188 | port-object eq 139 189 | object-group protocol TCPUDP 190 | protocol-object udp 191 | protocol-object tcp 192 | object-group service iax2 udp 193 | description iax2 for asterisk VOIP 194 | port-object eq 4569 195 | object-group network DM_INLINE_NETWORK_1 196 | network-object host xo_dns_2 197 | network-object host xo_dns_1 198 | object-group network DM_INLINE_NETWORK_2 199 | network-object host andrews_int 200 | network-object host cata_int 201 | network-object host netflix_skunkworks_dev_int 202 | network-object host lifestg1_int 203 | network-object host collab.xyz.com_int 204 | object-group network DM_INLINE_NETWORK_3 205 | network-object host andrews_int 206 | network-object host cata_int 207 | network-object host rapReport_dev_int 208 | network-object host woprstaging_int 209 | object-group network DM_INLINE_NETWORK_4 210 | network-object host lfo.xyz.biz_ext 211 | network-object host secure.xyz.biz_ext 212 | network-object host www.xyz.com_dev_ext 213 | network-object host atlas.xyz.com_ext 214 | network-object host iPhone_dev_ext 215 | network-object host yovidportal_ext 216 | network-object host yovidportalalpha_ext 217 | network-object host life_alpha_ext 218 | object-group network DM_INLINE_NETWORK_5 219 | network-object host mingle_ext 220 | network-object host woprtasker_ext 221 | network-object host collab.xyz.com_ext 222 | network-object host secure.xyz.biz_ext 223 | object-group service ssh_11411 tcp 224 | description per maca for rap reporting 225 | port-object eq 11411 226 | object-group network DM_INLINE_NETWORK_6 227 | network-object host folioMedia_ext 228 | network-object host rapReport_dev_ext 229 | object-group service iax2voip udp 230 | description iax2 231 | group-object iax2 232 | object-group network DM_INLINE_NETWORK_7 233 | network-object 0.0.0.0 0.0.0.0 234 | group-object cata_access 235 | object-group network DM_INLINE_NETWORK_8 236 | network-object host xo_dns_2 237 | network-object host xo_dns_1 238 | object-group service DM_INLINE_SERVICE_1 239 | service-object tcp-udp eq 10000 240 | service-object udp range 50000 65535 241 | service-object udp eq sip 242 | service-object tcp eq 30000 243 | service-object tcp eq 45606 244 | service-object tcp eq 50000 245 | service-object tcp eq 20000 246 | service-object tcp eq 3478 247 | service-object udp 248 | object-group service remote_desktop 249 | service-object tcp eq 3389 250 | object-group network consultant_vpn 251 | description consultant 88.X Network 252 | network-object Consultants_VPN_IP_Range 255.255.255.0 253 | object-group network DM_INLINE_NETWORK_9 254 | network-object host yovidportal_int 255 | network-object host asterisknow_int 256 | network-object host lifestg1_int 257 | object-group service VNC tcp 258 | description VNC access 259 | port-object range 5900 5901 260 | object-group service DM_INLINE_SERVICE_4 261 | service-object tcp eq rtsp 262 | service-object tcp-udp range 10000 20000 263 | service-object udp range 50000 65535 264 | service-object udp eq sip 265 | object-group service DM_INLINE_SERVICE_5 266 | service-object tcp eq rtsp 267 | service-object tcp-udp range 10000 20000 268 | service-object udp range 50000 65535 269 | service-object udp eq sip 270 | object-group network life_testAccessGroup 271 | description life users access to our test env 272 | network-object host life_LeslieWhite 273 | network-object life_KevinHawkins 255.255.255.240 274 | network-object host life_ChetanGandhi 275 | network-object host Chetan_Lab 276 | network-object host life_BlakeBishop 277 | network-object life_TraceyStack 255.255.255.248 278 | network-object pfd_dsl_ext 255.255.0.0 279 | network-object pfd_dsl2_ext 255.255.0.0 280 | object-group service DM_INLINE_UDP_1 udp 281 | port-object range 10000 10500 282 | port-object eq sip 283 | object-group service DM_INLINE_SERVICE_6 284 | service-object tcp eq https 285 | service-object tcp eq ssh 286 | service-object udp range 10000 10500 287 | service-object udp eq sip 288 | object-group service pptp tcp 289 | description Point ti Point Tunnel Protocol 290 | port-object eq pptp 291 | object-group service gre tcp 292 | description gre 293 | port-object eq 47 294 | object-group service DM_INLINE_TCP_3 tcp 295 | port-object eq 8080 296 | port-object eq www 297 | object-group service DM_INLINE_SERVICE_8 298 | service-object tcp eq 30000 299 | service-object tcp eq 45606 300 | service-object tcp eq 50000 301 | service-object tcp eq 20000 302 | service-object udp 303 | service-object tcp eq 10000 304 | service-object tcp eq 3478 305 | object-group network DM_INLINE_NETWORK_12 306 | network-object host collab.xyz.com_int 307 | network-object host woprtasker_int 308 | network-object host woprstaging_int 309 | object-group service Hyperic_2144 tcp 310 | description Hyperic health check protocol 311 | port-object eq 2144 312 | object-group service Hyperic_7080 tcp 313 | description Hyperic 314 | port-object eq 7080 315 | object-group service remoteDesktop tcp 316 | description Windows remote desktop 317 | port-object eq 3389 318 | object-group service stun tcp-udp 319 | description nat-stun 320 | port-object eq 3478 321 | object-group network DM_INLINE_NETWORK_13 322 | network-object host djoya_home 323 | network-object pfd_dsl_ext 255.255.0.0 324 | object-group protocol DM_INLINE_PROTOCOL_1 325 | protocol-object ip 326 | protocol-object udp 327 | object-group service rtp udp 328 | description RTP for voip voice and video traffic 329 | port-object range 10000 20000 330 | object-group service vonage_sip_and_rtp tcp-udp 331 | description Vonage is nuts... seems to require many ports open 332 | port-object range 5000 31000 333 | object-group network voicepulse_SIP 334 | description Voicepulse SIP networks 335 | network-object voicepulse_SIP_network2 255.255.255.0 336 | network-object voicepulse_SIP_network1 255.255.255.0 337 | network-object voicepulse_SIP_network3 255.255.255.224 338 | object-group service DM_INLINE_UDP_3 udp 339 | group-object rtp 340 | port-object eq sip 341 | object-group service DM_INLINE_UDP_4 udp 342 | group-object rtp 343 | port-object eq sip 344 | object-group network change_client_ips 345 | description allow customer to access the Open Exchange staging site 346 | network-object host Dog_Ash 347 | network-object host Jon_Gold 348 | object-group network DM_INLINE_NETWORK_11 349 | network-object host yovidportal_ext 350 | network-object host yovidportalalpha_ext 351 | object-group network DM_INLINE_NETWORK_15 352 | network-object host yovidportal_ext 353 | network-object host yovidportalalpha_ext 354 | object-group network DM_INLINE_NETWORK_16 355 | network-object host yovidportal_int 356 | network-object host yovidportalalpha_int 357 | object-group network DM_INLINE_NETWORK_10 358 | network-object host lifestg1_ext 359 | network-object host life_alpha_ext 360 | object-group network DM_INLINE_NETWORK_14 361 | network-object host asterisknow_ext 362 | network-object host asterisknow2_ext 363 | object-group network DM_INLINE_NETWORK_17 364 | network-object host asterisknow_int 365 | network-object host asterisknow2_int 366 | object-group network DM_INLINE_NETWORK_18 367 | network-object host asterisknow_int 368 | network-object host asterisknow2_int 369 | object-group network DM_INLINE_NETWORK_19 370 | network-object host asterisknow_int 371 | network-object host asterisknow2_int 372 | access-list wan0_access_in extended permit object-group TCPUDP host alan_home any object-group All_services 373 | access-list wan0_access_in remark allow wireless LAN access to outside internet 374 | access-list wan0_access_in extended permit object-group DM_INLINE_PROTOCOL_1 wlan0_network 255.255.255.0 any log warnings 375 | access-list wan0_access_in extended permit object-group TCPUDP any wlan0_network 255.255.255.0 376 | access-list wan0_access_in extended permit tcp any object-group DM_INLINE_NETWORK_4 eq www log disable 377 | access-list wan0_access_in remark Public FTP server with secure login (leave this rule disabled until Alan verifies vsftpd security) 378 | access-list wan0_access_in remark Same FTP server also accepts switchvox server backups to /home/switchvoxbackups 379 | access-list wan0_access_in extended permit tcp any host FTPserver_ext eq ssh inactive 380 | access-list wan0_access_in extended permit tcp object-group DM_INLINE_NETWORK_7 host cata_ext eq www log 381 | access-list wan0_access_in remark comment 382 | access-list wan0_access_in extended permit tcp any object-group DM_INLINE_NETWORK_5 eq https log warnings 383 | access-list wan0_access_in remark for asterisk voip server IAX2 384 | access-list wan0_access_in extended permit udp any host qphone_ext object-group iax2 log errors 385 | access-list wan0_access_in remark for switchvox asterisk-based voip server 386 | access-list wan0_access_in extended permit udp any host switchvox1_int object-group iax2 log warnings 387 | access-list wan0_access_in remark port 80 is for life,facebookdev1 is 3000-3010 388 | access-list wan0_access_in extended permit tcp any host facebook_dev_ext object-group DM_INLINE_TCP_1 log disable 389 | access-list wan0_access_in remark i removed livelinks_flex (TCP/8090); not sure what that was for -djoya 390 | access-list wan0_access_in extended permit tcp object-group life_testAccessGroup object-group DM_INLINE_NETWORK_10 object-group DM_INLINE_TCP_3 log disable 391 | access-list wan0_access_in remark Andrews demo site 392 | access-list wan0_access_in remark Andrews demo site 393 | access-list wan0_access_in remark Andrews demo site 394 | access-list wan0_access_in remark Andrews demo site 395 | access-list wan0_access_in remark Andrews demo site 396 | access-list wan0_access_in remark Andrews demo site 397 | access-list wan0_access_in remark Andrews demo site 398 | access-list wan0_access_in remark Andrews demo site 399 | access-list wan0_access_in remark Andrews demo site 400 | access-list wan0_access_in extended permit tcp object-group andrews_remote host andrews_ext eq www log disable inactive 401 | access-list wan0_access_in extended permit tcp any object-group DM_INLINE_NETWORK_6 object-group DM_INLINE_TCP_2 log disable 402 | access-list wan0_access_in extended permit tcp host folioMediaOfficeFirewall1 host folioMedia_ext eq ftp log 403 | access-list wan0_access_in remark for yovid Portal / Router SIP UDP 5060 from outside world 404 | access-list wan0_access_in remark these ports have been requested by the yovid support staff... 405 | access-list wan0_access_in remark I'm not sure if they are all really needed tcp/3478 is for STUN 406 | access-list wan0_access_in extended permit object-group DM_INLINE_SERVICE_1 any object-group DM_INLINE_NETWORK_11 log warnings 407 | access-list wan0_access_in remark for yovid staff to debug issue for Ivan 408 | access-list wan0_access_in extended permit tcp any object-group DM_INLINE_NETWORK_15 eq 2222 log warnings 409 | access-list wan0_access_in remark for life yovid project for testing AsteriskNow VM with Voicepulse 410 | access-list wan0_access_in extended permit udp object-group voicepulse_SIP object-group DM_INLINE_NETWORK_14 object-group DM_INLINE_UDP_4 log errors 411 | access-list wan0_access_in remark qphone voip 412 | access-list wan0_access_in extended permit object-group DM_INLINE_SERVICE_4 any host qphone_ext log warnings inactive 413 | access-list wan0_access_in remark for yovid Portal / Router IAX2 access from outside world 414 | access-list wan0_access_in extended permit udp any object-group DM_INLINE_NETWORK_19 object-group iax2 log warnings 415 | access-list wan0_access_in remark SIP VOIP soft phones can register with PFD switchvox1 server 416 | access-list wan0_access_in remark for people working at home and contractors 417 | access-list wan0_access_in extended permit udp object-group DM_INLINE_NETWORK_13 host switchvox1_ext object-group DM_INLINE_UDP_1 log critical 418 | access-list wan0_access_in remark SSH access for Switchvox tech support 419 | access-list wan0_access_in extended permit object-group DM_INLINE_SERVICE_6 host switchvox_tech_support host switchvox1_ext log warnings 420 | access-list wan0_access_in remark allow SMTP connections from PFD servers at XO 421 | access-list wan0_access_in extended permit tcp host xobot_firewall host svnmail_ext eq smtp log warnings 422 | access-list wan0_access_in extended permit icmp any any 423 | access-list wan0_access_in remark allow Open Exchange client IPs to access their staging VM port 80 424 | access-list wan0_access_in extended permit tcp object-group change_client_ips host change_ext eq www log warnings 425 | access-list xyzinder_splitTunnelAcl standard permit 192.168.83.0 255.255.255.0 426 | access-list xyzinder_splitTunnelAcl standard permit 192.168.84.0 255.255.255.0 427 | access-list management_nat0_outbound extended permit ip any 192.168.86.2 255.255.255.254 428 | access-list administrators_splitTunnelAcl standard permit any 429 | access-list nonat extended permit ip 192.168.83.0 255.255.255.0 vpn_network 255.255.255.0 430 | access-list nonat extended permit ip 192.168.83.0 255.255.255.0 192.168.84.0 255.255.255.0 431 | access-list nonat extended permit ip 192.168.83.0 255.255.255.0 Consultants_VPN_IP_Range 255.255.255.0 432 | access-list nonat extended permit ip host svnmail_int vpn 255.255.255.0 433 | access-list nonat extended permit ip host svnmail_int Consultants_VPN_IP_Range 255.255.255.0 434 | access-list nonat extended permit ip host yovidportal_int Consultants_VPN_IP_Range 255.255.255.0 435 | access-list nonat extended permit ip 192.168.83.0 255.255.255.0 wlan0_network 255.255.255.0 436 | access-list DMZ0_nat0_outbound extended permit ip 192.168.84.0 255.255.255.0 vpn_network 255.255.255.0 437 | access-list DMZ0_nat0_outbound extended permit ip 192.168.84.0 255.255.255.0 vpn 255.255.255.0 438 | access-list DMZ0_nat0_outbound extended permit ip 192.168.84.0 255.255.255.0 Consultants_VPN_IP_Range 255.255.255.0 439 | access-list Internal_access_in extended permit udp any object-group DM_INLINE_NETWORK_1 eq domain log disable 440 | access-list Internal_access_in remark qphone voip 441 | access-list Internal_access_in extended permit object-group DM_INLINE_SERVICE_5 any host qphone_int log disable 442 | access-list Internal_access_in extended permit icmp any 192.168.84.0 255.255.255.0 443 | access-list Internal_access_in extended permit ip any 192.168.84.0 255.255.255.0 log disable 444 | access-list Internal_access_in remark DMZ access to subversion on svnmail 445 | access-list Internal_access_in extended permit tcp object-group DM_INLINE_NETWORK_2 host svnmail_int object-group svn log 446 | access-list Internal_access_in remark DMZ access to smtp on svnmail 447 | access-list Internal_access_in extended permit tcp object-group DM_INLINE_NETWORK_3 host svnmail_int eq smtp log 448 | access-list Internal_access_in remark atoth testing client apps with IE6 449 | access-list Internal_access_in extended permit tcp host win2k_server_IE6 host atoth_macbook_pro eq www log 450 | access-list Internal_access_in extended permit icmp 192.168.83.0 255.255.255.0 any 451 | access-list Internal_access_in extended permit ip any any log disable 452 | access-list Internal_access_in remark All SSH to restore DB backups from Prod 453 | access-list Internal_access_in extended permit tcp host PM_staging_DB_server host Openfiler eq ssh 454 | access-list Internal_access_in extended permit tcp object-group consultant_vpn object-group DM_INLINE_NETWORK_9 object-group All_services inactive 455 | access-list Internal_access_in extended permit tcp object-group consultant_vpn host svnmail_int object-group svn 456 | access-list Internal_access_in remark Allow consultants VPN access to any .83 device for agile dev. 457 | access-list Internal_access_in extended permit tcp object-group consultant_vpn 192.168.83.0 255.255.255.0 object-group VNC inactive 458 | access-list Internal_access_in extended permit icmp object-group consultant_vpn 192.168.83.0 255.255.255.0 inactive 459 | access-list xyzinder_development_splitTunnelAcl standard permit 192.168.84.0 255.255.255.0 460 | access-list DMZ_in extended permit icmp any any 461 | access-list DMZ_in remark added by Cisco 462 | access-list DMZ_in extended permit tcp any any eq https 463 | access-list DMZ_in remark allows http traffic out of the DMZ 464 | access-list DMZ_in extended permit tcp any any eq www log disable 465 | access-list DMZ_in remark per maca for rapreporting 466 | access-list DMZ_in extended permit tcp host rapReport_dev_int host 68.91.41.160 object-group ssh_11411 log warnings 467 | access-list DMZ_in remark per maca allow cruisecontrol to send emails 468 | access-list DMZ_in extended permit tcp host rapReport_dev_int any eq smtp log warnings 469 | access-list DMZ_in remark allow confluence wiki & jira, and WOPR and WOPR staging to send emails 470 | access-list DMZ_in extended permit tcp object-group DM_INLINE_NETWORK_12 any eq smtp log warnings 471 | access-list DMZ_in remark allow jira subversion commit plugin to contact subversion 472 | access-list DMZ_in extended permit tcp host collab.xyz.com_int host svnmail_int object-group svn log warnings 473 | access-list DMZ_in remark allow pmruby1 folio Media staging / lfodemo / pmdemo to send emails thru 474 | access-list DMZ_in remark mailer.foliomedia.com 222.222.22.183 which is at XO data center 475 | access-list DMZ_in extended permit tcp host lfo.xyz.biz_int any eq smtp log warnings 476 | access-list DMZ_in remark allow asterisknow VM to make outbound SIP connections to Voicepulse and to softphones on our LAN 477 | access-list DMZ_in remark for yovid/life project 478 | access-list DMZ_in extended permit udp object-group DM_INLINE_NETWORK_18 object-group voicepulse_SIP object-group DM_INLINE_UDP_3 log errors 479 | access-list DMZ_in remark For life outbound yovid traffic tcp/3478 is for STUN 480 | access-list DMZ_in extended permit object-group DM_INLINE_SERVICE_8 object-group DM_INLINE_NETWORK_16 any log disable 481 | access-list DMZ_in remark allow asterisknow VM to make outbound IAX2 connections to nufone, etc for yovid/life project 482 | access-list DMZ_in extended permit udp object-group DM_INLINE_NETWORK_17 any object-group iax2 log warnings 483 | access-list DMZ_in remark allow vmdmz01 rsync data to xman:/offsite for critical backups 484 | access-list DMZ_in extended permit tcp host vmdmz01_int host xoman eq ssh log warnings 485 | access-list DMZ_in remark allow servers on DMZ to access XO name servers for DNS if openfiler01 dnsmasq is not available 486 | access-list DMZ_in extended permit udp 192.168.84.0 255.255.255.0 object-group DM_INLINE_NETWORK_8 eq domain log warnings 487 | access-list DMZ_in remark allow DMZ servers to access external time servers 488 | access-list DMZ_in extended permit udp 192.168.84.0 255.255.255.0 any eq ntp log warnings 489 | access-list DMZ_in extended permit tcp any any eq ftp-data log disable 490 | access-list DMZ_in extended permit tcp any any eq ftp 491 | access-list DMZ_in extended permit object-group remote_desktop any any 492 | access-list DMZ_in remark allow openfiler01 on DMZ to provide DNS service for wireless clients connected to .85 net 493 | access-list DMZ_in extended permit object-group TCPUDP host openfiler01_dns_dmz wlan0_network 255.255.255.0 eq domain log debugging 494 | access-list DMZ_in extended permit tcp 192.168.84.0 255.255.255.0 host xoman object-group Hyperic_7080 495 | access-list DMZ_in extended permit tcp any any object-group Hyperic_2144 496 | access-list capin extended permit icmp any any 497 | access-list xyzinder_customer_splitTunnelAcl standard permit 192.168.84.0 255.255.255.0 498 | access-list consultants_splitTunnelAcl standard permit host svnmail_int 499 | access-list consultants_splitTunnelAcl standard permit 192.168.83.0 255.255.255.0 500 | access-list consultants_splitTunnelAcl standard permit host lifestg1_int 501 | access-list consultants_splitTunnelAcl standard permit host yovidportal_int 502 | access-list consultants_splitTunnelAcl standard permit host asterisknow_int 503 | access-list wlan0_access_in remark allow openfiler01 DNS replies to wireless LAN clients 504 | access-list wlan0_access_in extended permit object-group TCPUDP host openfiler01_dns_dmz wlan0_network 255.255.255.0 eq domain log warnings 505 | access-list wlan0_access_in extended permit object-group TCPUDP any host openfiler01_dns_dmz eq domain log warnings 506 | access-list DMZ0_nat0_outbound_1 extended permit ip 192.168.84.0 255.255.255.0 wlan0_network 255.255.255.0 507 | access-list wlan0_nat0_outbound extended permit ip wlan0_network 255.255.255.0 192.168.84.0 255.255.255.0 508 | access-list wlan0_nat0_outbound extended permit ip wlan0_network 255.255.255.0 220.5.222.96 255.255.255.224 509 | access-list wan0_nat0_outbound_1 extended permit ip 220.5.222.96 255.255.255.224 wlan0_network 255.255.255.0 510 | pager lines 24 511 | logging enable 512 | logging buffered warnings 513 | logging asdm warnings 514 | logging recipient-address support@xyz.com level errors 515 | mtu Internal 1500 516 | mtu DMZ0 1500 517 | mtu wlan0 1500 518 | mtu wan0 1500 519 | mtu management 1500 520 | ip local pool IPSec_IP_DMZ_Pool 192.168.87.2-192.168.87.252 mask 255.255.255.0 521 | ip local pool management 192.168.1.2-192.168.1.10 mask 255.255.255.0 522 | ip local pool IPSec_IP_Pool 192.168.86.2-192.168.86.252 mask 255.255.255.0 523 | ip local pool consultants 192.168.88.2-192.168.88.12 mask 255.255.255.0 524 | no failover 525 | icmp unreachable rate-limit 1 burst-size 1 526 | icmp permit any Internal 527 | asdm image disk0:/asdm-603.bin 528 | no asdm history enable 529 | arp wan0 collab.xyz.com_ext 001d.7066.7f61 alias 530 | arp wan0 lfo.xyz.biz_ext 001d.7066.7f61 alias 531 | arp wan0 www.xyz.com_dev_ext 001d.7066.7f61 alias 532 | arp wan0 secure.xyz.biz_ext 001d.7066.7f61 alias 533 | arp timeout 14400 534 | global (wan0) 1 interface 535 | nat (Internal) 0 access-list nonat 536 | nat (Internal) 1 0.0.0.0 0.0.0.0 537 | nat (DMZ0) 0 access-list DMZ0_nat0_outbound 538 | nat (DMZ0) 0 access-list DMZ0_nat0_outbound_1 outside 539 | nat (DMZ0) 1 0.0.0.0 0.0.0.0 540 | nat (wlan0) 0 access-list wlan0_nat0_outbound 541 | nat (wan0) 0 access-list wan0_nat0_outbound_1 outside 542 | nat (wan0) 1 vpn 255.255.255.0 543 | nat (management) 0 access-list management_nat0_outbound 544 | static (wan0,Internal) udp interface domain Openfiler domain netmask 255.255.255.255 545 | static (wan0,DMZ0) udp interface domain openfiler01_dns_dmz domain netmask 255.255.255.255 546 | static (DMZ0,wan0) secure.xyz.biz_ext secure.xyz.biz_int netmask 255.255.255.255 547 | static (DMZ0,wan0) facebook_dev_ext facebook_dev_int netmask 255.255.255.255 548 | static (Internal,DMZ0) 192.168.83.0 192.168.83.0 netmask 255.255.255.0 549 | static (Internal,wan0) vmdev_ext vmdev_int netmask 255.255.255.255 550 | static (DMZ0,wan0) lifestg1_ext lifestg1_int netmask 255.255.255.255 551 | static (DMZ0,wan0) andrews_ext andrews_int netmask 255.255.255.255 552 | static (DMZ0,wan0) collab.xyz.com_ext collab.xyz.com_int netmask 255.255.255.255 553 | static (DMZ0,wan0) lfo.xyz.biz_ext lfo.xyz.biz_int netmask 255.255.255.255 554 | static (DMZ0,wan0) atlas.xyz.com_ext atlas.xyz.com_int netmask 255.255.255.255 555 | static (DMZ0,wan0) cata_ext cata_int netmask 255.255.255.255 556 | static (DMZ0,wan0) iPhone_dev_ext iPhone_dev_int netmask 255.255.255.255 557 | static (DMZ0,wan0) folioMedia_ext folioMedia_int netmask 255.255.255.255 558 | static (DMZ0,wan0) rapReport_dev_ext rapReport_dev_int netmask 255.255.255.255 559 | static (Internal,wan0) switchvox1_ext switchvox1_int netmask 255.255.255.255 560 | static (DMZ0,wan0) woprtasker_ext woprtasker_int netmask 255.255.255.255 561 | static (DMZ0,wan0) www.xyz.com_dev_ext www.xyz.com_dev_int netmask 255.255.255.255 562 | static (DMZ0,wan0) mingle_ext mingle_int netmask 255.255.255.255 563 | static (DMZ0,wan0) yovidportal_ext yovidportal_int netmask 255.255.255.255 564 | static (Internal,wan0) svnmail_ext svnmail_int netmask 255.255.255.255 565 | static (DMZ0,wan0) yovidportalalpha_ext yovidportalalpha_int netmask 255.255.255.255 566 | static (DMZ0,wan0) asterisknow_ext asterisknow_int netmask 255.255.255.255 567 | static (DMZ0,wan0) asterisknow2_ext asterisknow2_int netmask 255.255.255.255 568 | static (DMZ0,wan0) change_ext change_int netmask 255.255.255.255 569 | static (DMZ0,wan0) FTPserver_ext FTPserver_int netmask 255.255.255.255 570 | static (DMZ0,wan0) flossTest_ext flossTest_int netmask 255.255.255.255 571 | static (DMZ0,wan0) flossDev_int flossDev_ext netmask 255.255.255.255 572 | static (DMZ0,wan0) life_alpha_ext life_alpha_int netmask 255.255.255.255 573 | access-group Internal_access_in in interface Internal 574 | access-group DMZ_in in interface DMZ0 575 | access-group wlan0_access_in in interface wlan0 576 | access-group wan0_access_in in interface wan0 577 | route wan0 0.0.0.0 0.0.0.0 220.5.222.97 1 578 | route Internal 192.168.83.0 255.255.255.0 192.168.83.1 1 579 | route DMZ0 192.168.84.0 255.255.255.0 192.168.84.1 1 580 | route wlan0 wlan0_network 255.255.255.0 192.168.85.1 1 581 | timeout xlate 3:00:00 582 | timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 583 | timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 584 | timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 585 | timeout uauth 0:05:00 absolute 586 | dynamic-access-policy-record DfltAccessPolicy 587 | aaa authentication enable console LOCAL 588 | aaa authentication http console LOCAL 589 | aaa authentication serial console LOCAL 590 | aaa authentication ssh console LOCAL 591 | aaa authentication telnet console LOCAL 592 | aaa authorization command LOCAL 593 | aaa authentication secure-http-client 594 | aaa authorization exec authentication-server 595 | http server enable 596 | http djoya_home 255.255.255.255 wan0 597 | http 192.168.83.0 255.255.255.0 Internal 598 | http vpn_network 255.255.255.0 Internal 599 | http vpn_network 255.255.255.0 wan0 600 | http 71.201.199.161 255.255.255.255 wan0 601 | http 192.168.1.0 255.255.255.0 management 602 | http 68.75.55.47 255.255.255.255 wan0 603 | http 75.31.228.142 255.255.255.255 wan0 604 | http 68.75.163.115 255.255.255.255 wan0 605 | http 98.227.183.179 255.255.255.255 wan0 606 | no snmp-server location 607 | no snmp-server contact 608 | snmp-server enable traps snmp authentication linkup linkdown coldstart 609 | crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 610 | crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 611 | crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 612 | crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 613 | crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 614 | crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 615 | crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 616 | crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 617 | crypto ipsec transform-set myset esp-3des esp-md5-hmac 618 | crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 619 | crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 620 | crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs 621 | crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-256-MD5 ESP-3DES-MD5 ESP-3DES-SHA ESP-AES-256-SHA ESP-DES-SHA ESP-DES-MD5 ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 622 | crypto map wan0_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP 623 | crypto map wan0_map interface wan0 624 | crypto map wlan0_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP 625 | crypto map wlan0_map interface wlan0 626 | crypto ca trustpoint ASDM_TrustPoint0 627 | enrollment terminal 628 | fqdn pppfw01.xyz.com 629 | email support@xyz.com 630 | subject-name CN=xyzinder Develpment,OU=xyzinder,O=xyzinder,C=US,St=IL,L=Chicago 631 | keypair pppfw01.xyz.key 632 | no client-types 633 | crl configure 634 | crypto ca trustpoint LOCAL-CA-SERVER 635 | keypair LOCAL-CA-SERVER 636 | crl configure 637 | crypto ca trustpoint ASDM_TrustPoint1 638 | enrollment self 639 | fqdn pppfw01 640 | subject-name CN=pppfw01 641 | serial-number 642 | no client-types 643 | proxy-ldc-issuer 644 | crl configure 645 | crypto ca server 646 | crypto ca certificate map DefaultCertificateMap 10 647 | crypto ca certificate map xyzinder_Cet_SSL_map 20 648 | crypto ca certificate chain LOCAL-CA-SERVER 649 | certificate ca 01 650 | 651 | quit 652 | crypto ca certificate chain ASDM_TrustPoint1 653 | certificate 31 654 | 655 | quit 656 | crypto isakmp identity address 657 | crypto isakmp enable wlan0 658 | crypto isakmp enable wan0 659 | crypto isakmp policy 5 660 | authentication pre-share 661 | encryption 3des 662 | hash sha 663 | group 2 664 | lifetime 86400 665 | crypto isakmp policy 10 666 | authentication pre-share 667 | encryption des 668 | hash sha 669 | group 2 670 | lifetime 86400 671 | crypto isakmp nat-traversal 120 672 | telnet 192.168.83.45 255.255.255.255 Internal 673 | telnet timeout 5 674 | ssh scopy enable 675 | ssh 192.168.83.0 255.255.255.0 Internal 676 | ssh 192.168.0.0 255.255.0.0 Internal 677 | ssh 203.157.75.41 255.255.255.255 wan0 678 | ssh vpn_network 255.255.255.0 wan0 679 | ssh 203.167.75.0 255.255.255.0 wan0 680 | ssh 24.14.226.62 255.255.255.255 wan0 681 | ssh 75.31.228.142 255.255.255.255 wan0 682 | ssh timeout 20 683 | ssh version 2 684 | console timeout 0 685 | management-access Internal 686 | dhcpd dns Openfiler xo_dns_2 687 | dhcpd lease 1200 688 | dhcpd domain xyz.com 689 | dhcpd option 6 ip Openfiler Openfiler 690 | ! 691 | dhcpd address 192.168.83.100-192.168.83.171 Internal 692 | dhcpd dns Openfiler interface Internal 693 | dhcpd domain xyz.com interface Internal 694 | dhcpd update dns both interface Internal 695 | dhcpd option 5 ip Openfiler openfiler01_dns_dmz interface Internal 696 | dhcpd enable Internal 697 | ! 698 | dhcpd address 192.168.85.2-192.168.85.240 wlan0 699 | dhcpd dns openfiler01_dns_dmz interface wlan0 700 | dhcpd wins 192.168.83.77 interface wlan0 701 | dhcpd update dns both interface wlan0 702 | dhcpd option 3 ip 192.168.85.1 interface wlan0 703 | dhcpd option 6 ip openfiler01_dns_dmz interface wlan0 704 | dhcpd enable wlan0 705 | ! 706 | vpn load-balancing 707 | interface lbpublic DMZ0 708 | interface lbprivate DMZ0 709 | priority-queue wan0 710 | threat-detection basic-threat 711 | threat-detection statistics 712 | ! 713 | class-map wan0-class 714 | description RTP VOIP 715 | match rtp 10000 10000 716 | ! 717 | ! 718 | policy-map wan0-policy-voip 719 | description RTP VOIP 720 | class wan0-class 721 | priority 722 | policy-map type inspect sip Secure_SIP 723 | description sip policy for securing traffic flow 724 | parameters 725 | max-forwards-validation action drop log 726 | state-checking action drop-connection log 727 | software-version action mask log 728 | strict-header-validation action drop log 729 | no traffic-non-sip 730 | uri-non-sip action mask log 731 | rtp-conformance enforce-payloadtype 732 | ! 733 | service-policy wan0-policy-voip interface wan0 734 | ntp server 64.247.17.254 source wan0 prefer 735 | ntp server 64.34.180.101 source wan0 736 | ntp server 64.202.112.75 source wan0 737 | ntp server 69.93.111.178 source wan0 738 | tftp-server Internal 192.168.83.41 / 739 | ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1 rc4-md5 des-sha1 740 | ssl trust-point ASDM_TrustPoint1 741 | ssl certificate-authentication interface wan0 port 443 742 | ssl certificate-authentication interface wlan0 port 443 743 | webvpn 744 | enable Internal 745 | enable DMZ0 746 | enable wlan0 747 | enable wan0 748 | svc image disk0:/anyconnect-win-2.2.0140-k9.pkg 1 749 | svc image disk0:/sslclient-win-1.1.4.176-anyconnect.pkg 2 750 | svc image disk0:/sslclient-win-1.1.4.176.pkg 3 751 | svc enable 752 | tunnel-group-list enable 753 | internal-password enable 754 | certificate-group-map xyzinder_Cet_SSL_map 20 xyzinder 755 | group-policy xyzinder_development internal 756 | group-policy xyzinder_development attributes 757 | dns-server value 192.168.84.77 192.168.84.250 758 | vpn-tunnel-protocol IPSec svc webvpn 759 | split-tunnel-policy tunnelall 760 | default-domain value xyz.com 761 | group-policy xyzinder internal 762 | group-policy xyzinder attributes 763 | dns-server none 764 | vpn-idle-timeout 120 765 | vpn-session-timeout 600 766 | vpn-tunnel-protocol IPSec svc webvpn 767 | split-tunnel-policy tunnelspecified 768 | split-tunnel-network-list value xyzinder_splitTunnelAcl 769 | default-domain value xyz.com 770 | webvpn 771 | url-list value PFA_AnyConnect_Bookmark 772 | svc ask enable 773 | group-policy xyzinder_customer internal 774 | group-policy xyzinder_customer attributes 775 | wins-server value 192.168.84.77 776 | dns-server value 192.168.84.77 192.168.84.250 777 | vpn-tunnel-protocol IPSec svc webvpn 778 | default-domain value xyz.com 779 | webvpn 780 | svc keep-installer none 781 | group-policy xyzinder_split_tunnel internal 782 | group-policy xyzinder_split_tunnel attributes 783 | dns-server none 784 | vpn-idle-timeout 120 785 | vpn-session-timeout 600 786 | vpn-tunnel-protocol IPSec svc webvpn 787 | split-tunnel-policy tunnelspecified 788 | split-tunnel-network-list value xyzinder_splitTunnelAcl 789 | default-domain value xyz.com 790 | webvpn 791 | url-list value PFA_AnyConnect_Bookmark 792 | svc ask enable 793 | group-policy DfltGrpPolicy attributes 794 | vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn 795 | group-policy consultants internal 796 | group-policy consultants attributes 797 | dns-server none 798 | vpn-tunnel-protocol IPSec 799 | split-tunnel-policy tunnelspecified 800 | split-tunnel-network-list value consultants_splitTunnelAcl 801 | username xxxxxxx password zzzzzzzzzz encrypted 802 | username xxxxxxxxx attributes 803 | service-type remote-access 804 | username wwwwwww password xxxxxxxxxx encrypted privilege 15 805 | username wwwwwww attributes 806 | memberof xyzinder 807 | tunnel-group DefaultRAGroup webvpn-attributes 808 | group-alias customer disable 809 | group-alias xyz.com disable 810 | tunnel-group xyzinder type remote-access 811 | tunnel-group xyzinder general-attributes 812 | address-pool (wan0) IPSec_IP_Pool 813 | address-pool IPSec_IP_Pool 814 | authentication-server-group (wan0) LOCAL 815 | authentication-server-group (wlan0) LOCAL 816 | authorization-server-group LOCAL 817 | default-group-policy xyzinder 818 | password-management 819 | tunnel-group xyzinder webvpn-attributes 820 | group-alias staff.xyz.com enable 821 | tunnel-group xyzinder ipsec-attributes 822 | pre-shared-key * 823 | tunnel-group xyzinder_customer type remote-access 824 | tunnel-group xyzinder_customer general-attributes 825 | address-pool IPSec_IP_DMZ_Pool 826 | authentication-server-group (DMZ0) LOCAL 827 | authorization-server-group LOCAL 828 | default-group-policy xyzinder_development 829 | tunnel-group xyzinder_customer webvpn-attributes 830 | group-alias customer.xyz.com enable 831 | tunnel-group xyzinder_customer ipsec-attributes 832 | pre-shared-key * 833 | tunnel-group xyzinder_anyconnect type remote-access 834 | tunnel-group xyzinder_anyconnect general-attributes 835 | address-pool IPSec_IP_Pool 836 | tunnel-group consultants type remote-access 837 | tunnel-group consultants general-attributes 838 | address-pool consultants 839 | default-group-policy consultants 840 | tunnel-group consultants ipsec-attributes 841 | pre-shared-key * 842 | tunnel-group xyzinder_split_tunnel type remote-access 843 | tunnel-group xyzinder_split_tunnel general-attributes 844 | address-pool (wan0) IPSec_IP_Pool 845 | address-pool IPSec_IP_Pool 846 | authentication-server-group (wan0) LOCAL 847 | authentication-server-group (wlan0) LOCAL 848 | default-group-policy xyzinder_split_tunnel 849 | password-management 850 | tunnel-group xyzinder_split_tunnel ipsec-attributes 851 | pre-shared-key * 852 | smtp-server 228.79.38.134 853 | privilege cmd level 3 mode exec command perfmon 854 | privilege cmd level 3 mode exec command ping 855 | privilege cmd level 3 mode exec command who 856 | privilege cmd level 3 mode exec command logging 857 | privilege cmd level 3 mode exec command failover 858 | privilege show level 5 mode exec command import 859 | privilege show level 5 mode exec command running-config 860 | privilege show level 3 mode exec command reload 861 | privilege show level 3 mode exec command mode 862 | privilege show level 3 mode exec command firewall 863 | privilege show level 3 mode exec command interface 864 | privilege show level 3 mode exec command clock 865 | privilege show level 3 mode exec command dns-hosts 866 | privilege show level 3 mode exec command access-list 867 | privilege show level 3 mode exec command logging 868 | privilege show level 3 mode exec command vlan 869 | privilege show level 3 mode exec command ip 870 | privilege show level 3 mode exec command failover 871 | privilege show level 3 mode exec command asdm 872 | privilege show level 3 mode exec command arp 873 | privilege show level 3 mode exec command route 874 | privilege show level 3 mode exec command ospf 875 | privilege show level 3 mode exec command aaa-server 876 | privilege show level 3 mode exec command aaa 877 | privilege show level 3 mode exec command eigrp 878 | privilege show level 3 mode exec command crypto 879 | privilege show level 3 mode exec command vpn-sessiondb 880 | privilege show level 3 mode exec command ssh 881 | privilege show level 3 mode exec command dhcpd 882 | privilege show level 3 mode exec command vpn 883 | privilege show level 3 mode exec command blocks 884 | privilege show level 3 mode exec command wccp 885 | privilege show level 3 mode exec command webvpn 886 | privilege show level 3 mode exec command uauth 887 | privilege show level 3 mode exec command compression 888 | privilege show level 3 mode configure command interface 889 | privilege show level 3 mode configure command clock 890 | privilege show level 3 mode configure command access-list 891 | privilege show level 3 mode configure command logging 892 | privilege show level 3 mode configure command ip 893 | privilege show level 3 mode configure command failover 894 | privilege show level 5 mode configure command asdm 895 | privilege show level 3 mode configure command arp 896 | privilege show level 3 mode configure command route 897 | privilege show level 3 mode configure command aaa-server 898 | privilege show level 3 mode configure command aaa 899 | privilege show level 3 mode configure command crypto 900 | privilege show level 3 mode configure command ssh 901 | privilege show level 3 mode configure command dhcpd 902 | privilege show level 5 mode configure command privilege 903 | privilege clear level 3 mode exec command dns-hosts 904 | privilege clear level 3 mode exec command logging 905 | privilege clear level 3 mode exec command arp 906 | privilege clear level 3 mode exec command aaa-server 907 | privilege clear level 3 mode exec command crypto 908 | privilege cmd level 3 mode configure command failover 909 | privilege clear level 3 mode configure command logging 910 | privilege clear level 3 mode configure command arp 911 | privilege clear level 3 mode configure command crypto 912 | privilege clear level 3 mode configure command aaa-server 913 | prompt hostname context 914 | Cryptochecksum:84536e504e4b5cdbc07180eabe335bd1 915 | : end 916 | asdm image disk0:/asdm-603.bin 917 | asdm location secure.xyz.biz_int 255.255.255.255 management 918 | asdm location www.xyz.com_dev_int 255.255.255.255 management 919 | asdm location lfo.xyz.biz_int 255.255.255.255 management 920 | asdm location collab.xyz.com_int 255.255.255.255 management 921 | asdm location qphone_int 255.255.255.255 management 922 | asdm location wopr.xyz.com_int 255.255.255.255 management 923 | asdm location mingle_int 255.255.255.255 management 924 | asdm location facebook_dev_int 255.255.255.255 management 925 | asdm location andrews_int 255.255.255.255 management 926 | asdm location cata_int 255.255.255.255 management 927 | asdm location rapReport_dev_int 255.255.255.255 management 928 | asdm location iPhone_dev_int 255.255.255.255 management 929 | asdm location atlas.xyz.com_int 255.255.255.255 management 930 | asdm location folioMedia_int 255.255.255.255 management 931 | asdm location collab.xyz.com_ext 255.255.255.255 management 932 | asdm location lfo.xyz.biz_ext 255.255.255.255 management 933 | asdm location secure.xyz.biz_ext 255.255.255.255 management 934 | asdm location www.xyz.com_dev_ext 255.255.255.255 management 935 | asdm location folioMedia_ext 255.255.255.255 management 936 | asdm location andrews_ext 255.255.255.255 management 937 | asdm location atlas.xyz.com_ext 255.255.255.255 management 938 | asdm location cata_ext 255.255.255.255 management 939 | asdm location facebook_dev_ext 255.255.255.255 management 940 | asdm location iPhone_dev_ext 255.255.255.255 management 941 | asdm location mingle_ext 255.255.255.255 management 942 | asdm location rapReport_dev_ext 255.255.255.255 management 943 | asdm location woprtasker_ext 255.255.255.255 management 944 | asdm location backup_test 255.255.255.255 management 945 | asdm location lifestg1_ext 255.255.255.255 management 946 | asdm location cata5 255.255.255.255 management 947 | asdm location cata2 255.255.255.255 management 948 | asdm location cata1 255.255.255.255 management 949 | asdm location cata6 255.255.255.255 management 950 | asdm location andrews_remote1 255.255.255.255 management 951 | asdm location NAL_sharepoint_int 255.255.255.255 management 952 | asdm location skunkworks_dev_int 255.255.255.255 management 953 | asdm location NAL_build_int 255.255.255.255 management 954 | asdm location win2k_server_IE6 255.255.255.255 management 955 | asdm location svnmail_int 255.255.255.255 management 956 | asdm location atoth_macbook_pro 255.255.255.255 management 957 | asdm location Openfiler 255.255.255.255 management 958 | asdm location PM_staging_DB_server 255.255.255.255 Internal 959 | asdm location vmdev_int 255.255.255.255 Internal 960 | asdm location vmdev_ext 255.255.255.255 Internal 961 | asdm location yovidportal_int 255.255.255.255 Internal 962 | asdm location yovidportal_ext 255.255.255.255 Internal 963 | asdm location asterisknow_int 255.255.255.255 Internal 964 | asdm location asterisknow_ext 255.255.255.255 Internal 965 | asdm location folioMediaOfficeFirewall1 255.255.255.255 Internal 966 | asdm location switchvox1_int 255.255.255.255 Internal 967 | asdm location lifestg1_int 255.255.255.255 management 968 | asdm location vmdmz01_int 255.255.255.255 Internal 969 | asdm location qphone_ext 255.255.255.255 Internal 970 | asdm location FTPserver_int 255.255.255.255 Internal 971 | asdm location FTPserver_ext 255.255.255.255 Internal 972 | asdm location life_LeslieWhite 255.255.255.255 Internal 973 | asdm location switchvox1_ext 255.255.255.255 Internal 974 | asdm location djoya_home 255.255.255.255 Internal 975 | asdm location switchvox_tech_support 255.255.255.255 Internal 976 | asdm location Alan_in_Australia 255.255.255.255 Internal 977 | asdm location Costa_Rica_external_1 255.255.255.255 Internal 978 | asdm location Karega_int 255.255.255.255 Internal 979 | asdm location flossTest_ext 255.255.255.255 Internal 980 | asdm location woprtasker_int 255.255.255.255 Internal 981 | asdm location life_Hawkins 255.255.255.240 Internal 982 | asdm location svnmail_ext 255.255.255.255 Internal 983 | asdm location xobot_firewall 255.255.255.255 Internal 984 | asdm location flossTest_int 255.255.255.255 Internal 985 | asdm location stunusa.yovid.com 255.255.255.255 Internal 986 | asdm location floss_Firewall2 255.255.255.255 Internal 987 | asdm location flossDev_int 255.255.255.255 Internal 988 | asdm location flossDev_ext 255.255.255.255 Internal 989 | asdm location life_Bishop 255.255.255.255 Internal 990 | asdm location life_Stack 255.255.255.248 Internal 991 | asdm location collab3.xyz.com_int 255.255.255.255 Internal 992 | asdm location pfd_dsl_ext 255.255.0.0 Internal 993 | asdm location woprstaging_int 255.255.255.255 Internal 994 | asdm location change_int 255.255.255.255 Internal 995 | asdm location change_ext 255.255.255.255 Internal 996 | asdm location yovidportalalpha_int 255.255.255.255 Internal 997 | asdm location yovidportalalpha_ext 255.255.255.255 Internal 998 | asdm location life_alpha_int 255.255.255.255 Internal 999 | asdm location life_alpha_ext 255.255.255.255 Internal 1000 | asdm location pfd_dsl2_ext 255.255.0.0 Internal 1001 | asdm location asterisknow2_int 255.255.255.255 Internal 1002 | asdm location asterisknow2_ext 255.255.255.255 Internal 1003 | no asdm history enable 1004 | --------------------------------------------------------------------------------