! ============================================================================
! VantagePoint Networks - Cisco ASA 5525-X Hardened Firewall Configuration
! ============================================================================
! Template Version: 2.1
! Platform: Cisco ASA 5525-X (9.16+)
! Purpose: Enterprise perimeter firewall with VPN, DMZ, and full hardening
! License: VantagePoint Networks Commercial Template
! ============================================================================
!
! VARIABLES - Replace before deployment:
!   <HOSTNAME>            - Firewall hostname (e.g., VPN-FW-EDGE-01)
!   <DOMAIN_NAME>         - Domain name (e.g., corp.example.com)
!   <OUTSIDE_IP>          - Outside interface IP
!   <OUTSIDE_MASK>        - Outside interface subnet mask
!   <OUTSIDE_GW>          - Outside default gateway
!   <INSIDE_IP>           - Inside interface IP (e.g., 10.1.0.1)
!   <INSIDE_MASK>         - Inside interface mask (e.g., 255.255.255.0)
!   <INSIDE_NETWORK>      - Inside network (e.g., 10.1.0.0)
!   <DMZ_IP>              - DMZ interface IP (e.g., 172.16.1.1)
!   <DMZ_MASK>            - DMZ interface mask
!   <DMZ_NETWORK>         - DMZ network (e.g., 172.16.1.0)
!   <MGMT_IP>             - Management interface IP
!   <MGMT_MASK>           - Management interface mask
!   <MGMT_NETWORK>        - Management subnet
!   <WEB_SERVER_DMZ_IP>   - DMZ web server private IP
!   <WEB_SERVER_PUBLIC_IP>- DMZ web server NAT public IP
!   <MAIL_SERVER_DMZ_IP>  - DMZ mail server private IP
!   <MAIL_SERVER_PUBLIC_IP>- DMZ mail server NAT public IP
!   <RADIUS_SERVER_1>     - Primary RADIUS server IP
!   <RADIUS_SERVER_2>     - Secondary RADIUS server IP
!   <RADIUS_KEY>          - RADIUS shared secret
!   <SYSLOG_SERVER>       - Syslog server IP
!   <SNMP_SERVER>         - SNMP management station IP
!   <SNMP_USER>           - SNMPv3 username
!   <SNMP_AUTH_PASS>      - SNMPv3 auth passphrase
!   <SNMP_PRIV_PASS>      - SNMPv3 priv passphrase
!   <NTP_SERVER_1>        - Primary NTP server
!   <NTP_SERVER_2>        - Secondary NTP server
!   <SSH_MGMT_HOST_1>     - Allowed SSH management host 1
!   <SSH_MGMT_HOST_2>     - Allowed SSH management host 2
!   <VPN_POOL_START>      - AnyConnect VPN pool start IP
!   <VPN_POOL_END>        - AnyConnect VPN pool end IP
!   <VPN_POOL_MASK>       - AnyConnect VPN pool mask
!   <VPN_DNS_1>           - VPN client DNS server 1
!   <VPN_DNS_2>           - VPN client DNS server 2
!   <VPN_DOMAIN>          - VPN client default domain
!   <PEER_VPN_IP>         - Site-to-site VPN peer public IP
!   <PEER_NETWORK>        - Remote site network
!   <PEER_MASK>           - Remote site mask
!   <IKEV2_PSK>           - IKEv2 pre-shared key
!   <STANDBY_IP_OUTSIDE>  - Failover standby outside IP
!   <STANDBY_IP_INSIDE>   - Failover standby inside IP
!   <STANDBY_IP_DMZ>      - Failover standby DMZ IP
!   <FAILOVER_KEY>        - Failover shared secret
!   <ENABLE_SECRET>       - Enable secret password
!   <LOCAL_ADMIN_PASS>    - Local admin password
!   <CERT_TRUSTPOINT>     - SSL certificate trustpoint name
! ============================================================================

! --- System Identity ---
hostname <HOSTNAME>
domain-name <DOMAIN_NAME>
enable password <ENABLE_SECRET> encrypted

! --- Clock and NTP ---
clock timezone UTC 0
ntp server <NTP_SERVER_1> prefer
ntp server <NTP_SERVER_2>

! --- Banner ---
banner motd +
+=========================================================================+
| VantagePoint Networks - AUTHORIZED ACCESS ONLY                          |
|                                                                         |
| This system is the property of VantagePoint Networks. Unauthorized      |
| access is prohibited and will be prosecuted to the fullest extent of    |
| applicable law. All activity is monitored and logged.                   |
|                                                                         |
| By accessing this system you consent to monitoring and recording of     |
| all activity. Disconnect immediately if you are not an authorized user. |
+=========================================================================+
+

banner asdm +
VantagePoint Networks - <HOSTNAME> - ASDM Management Console
Authorized personnel only. All sessions logged.
+

! ============================================================================
! INTERFACES
! ============================================================================

interface GigabitEthernet0/0
 nameif Outside
 security-level 0
 ip address <OUTSIDE_IP> <OUTSIDE_MASK>
 no shutdown

interface GigabitEthernet0/1
 nameif Inside
 security-level 100
 ip address <INSIDE_IP> <INSIDE_MASK>
 no shutdown

interface GigabitEthernet0/2
 nameif DMZ
 security-level 50
 ip address <DMZ_IP> <DMZ_MASK>
 no shutdown

interface Management0/0
 nameif Management
 security-level 100
 ip address <MGMT_IP> <MGMT_MASK>
 management-only
 no shutdown

! ============================================================================
! OBJECT DEFINITIONS
! ============================================================================

object network obj-INSIDE-NETWORK
 subnet <INSIDE_NETWORK> <INSIDE_MASK>

object network obj-DMZ-NETWORK
 subnet <DMZ_NETWORK> <DMZ_MASK>

object network obj-MGMT-NETWORK
 subnet <MGMT_NETWORK> <MGMT_MASK>

object network obj-DMZ-WEBSERVER
 host <WEB_SERVER_DMZ_IP>

object network obj-DMZ-WEBSERVER-PUBLIC
 host <WEB_SERVER_PUBLIC_IP>

object network obj-DMZ-MAILSERVER
 host <MAIL_SERVER_DMZ_IP>

object network obj-DMZ-MAILSERVER-PUBLIC
 host <MAIL_SERVER_PUBLIC_IP>

object network obj-VPN-POOL
 subnet <VPN_POOL_START> <VPN_POOL_MASK>

object network obj-PEER-NETWORK
 subnet <PEER_NETWORK> <PEER_MASK>

object network obj-RADIUS-1
 host <RADIUS_SERVER_1>

object network obj-RADIUS-2
 host <RADIUS_SERVER_2>

object network obj-SYSLOG
 host <SYSLOG_SERVER>

! --- Object Groups ---
object-group network INSIDE-NETWORKS
 network-object object obj-INSIDE-NETWORK
 network-object object obj-MGMT-NETWORK

object-group network DMZ-SERVERS
 network-object object obj-DMZ-WEBSERVER
 network-object object obj-DMZ-MAILSERVER

object-group network RADIUS-SERVERS
 network-object object obj-RADIUS-1
 network-object object obj-RADIUS-2

object-group service DM_INLINE_TCP_WEBSERVICES tcp
 port-object eq www
 port-object eq https

object-group service DM_INLINE_TCP_MAILSERVICES tcp
 port-object eq smtp
 port-object eq 587
 port-object eq 993

object-group service ICMP-ALLOWED
 service-object icmp echo
 service-object icmp echo-reply
 service-object icmp unreachable
 service-object icmp time-exceeded

object-group network RFC1918
 network-object 10.0.0.0 255.0.0.0
 network-object 172.16.0.0 255.240.0.0
 network-object 192.168.0.0 255.255.0.0

object-group network BOGON-NETWORKS
 network-object 0.0.0.0 255.0.0.0
 network-object 127.0.0.0 255.0.0.0
 network-object 169.254.0.0 255.255.0.0
 network-object 224.0.0.0 240.0.0.0
 network-object 240.0.0.0 240.0.0.0

! ============================================================================
! NAT CONFIGURATION
! ============================================================================

! --- Dynamic PAT for Inside to Outside ---
object network obj-INSIDE-NETWORK
 nat (Inside,Outside) dynamic interface

! --- Dynamic PAT for DMZ to Outside ---
object network obj-DMZ-NETWORK
 nat (DMZ,Outside) dynamic interface

! --- Static NAT for DMZ Web Server ---
object network obj-DMZ-WEBSERVER
 nat (DMZ,Outside) static <WEB_SERVER_PUBLIC_IP>

! --- Static NAT for DMZ Mail Server ---
object network obj-DMZ-MAILSERVER
 nat (DMZ,Outside) static <MAIL_SERVER_PUBLIC_IP>

! --- NAT Exemption for VPN traffic ---
nat (Inside,Outside) source static obj-INSIDE-NETWORK obj-INSIDE-NETWORK destination static obj-VPN-POOL obj-VPN-POOL no-proxy-arp route-lookup

! --- NAT Exemption for Site-to-Site VPN ---
nat (Inside,Outside) source static obj-INSIDE-NETWORK obj-INSIDE-NETWORK destination static obj-PEER-NETWORK obj-PEER-NETWORK no-proxy-arp route-lookup

! ============================================================================
! ACCESS LISTS
! ============================================================================

! --- Outside Inbound ACL ---
access-list OUTSIDE-IN extended deny ip object-group BOGON-NETWORKS any log 4
access-list OUTSIDE-IN extended deny ip any object-group BOGON-NETWORKS log 4
access-list OUTSIDE-IN extended deny ip object-group RFC1918 any log 4
access-list OUTSIDE-IN extended permit tcp any object obj-DMZ-WEBSERVER-PUBLIC object-group DM_INLINE_TCP_WEBSERVICES
access-list OUTSIDE-IN extended permit tcp any object obj-DMZ-MAILSERVER-PUBLIC object-group DM_INLINE_TCP_MAILSERVICES
access-list OUTSIDE-IN extended permit icmp any any object-group ICMP-ALLOWED
access-list OUTSIDE-IN extended deny ip any any log 4

! --- Inside Outbound ACL ---
access-list INSIDE-OUT extended permit tcp object-group INSIDE-NETWORKS any object-group DM_INLINE_TCP_WEBSERVICES
access-list INSIDE-OUT extended permit tcp object-group INSIDE-NETWORKS any eq domain
access-list INSIDE-OUT extended permit udp object-group INSIDE-NETWORKS any eq domain
access-list INSIDE-OUT extended permit tcp object-group INSIDE-NETWORKS any eq ssh
access-list INSIDE-OUT extended permit tcp object-group INSIDE-NETWORKS any eq ftp
access-list INSIDE-OUT extended permit icmp object-group INSIDE-NETWORKS any object-group ICMP-ALLOWED
access-list INSIDE-OUT extended permit tcp object-group INSIDE-NETWORKS object-group DMZ-SERVERS object-group DM_INLINE_TCP_WEBSERVICES
access-list INSIDE-OUT extended permit tcp object-group INSIDE-NETWORKS object-group DMZ-SERVERS object-group DM_INLINE_TCP_MAILSERVICES
access-list INSIDE-OUT extended deny ip any any log 4

! --- DMZ ACL ---
access-list DMZ-IN extended permit tcp object-group DMZ-SERVERS any eq domain
access-list DMZ-IN extended permit udp object-group DMZ-SERVERS any eq domain
access-list DMZ-IN extended permit tcp object-group DMZ-SERVERS object-group RADIUS-SERVERS eq 1812
access-list DMZ-IN extended permit udp object-group DMZ-SERVERS object-group RADIUS-SERVERS eq 1812
access-list DMZ-IN extended deny ip object-group DMZ-SERVERS object-group INSIDE-NETWORKS log 4
access-list DMZ-IN extended deny ip any any log 4

! --- VPN Split Tunnel ACL ---
access-list VPN-SPLIT-TUNNEL standard permit <INSIDE_NETWORK> <INSIDE_MASK>
access-list VPN-SPLIT-TUNNEL standard permit <DMZ_NETWORK> <DMZ_MASK>

! --- Apply ACLs ---
access-group OUTSIDE-IN in interface Outside
access-group INSIDE-OUT in interface Inside
access-group DMZ-IN in interface DMZ

! ============================================================================
! AAA / RADIUS CONFIGURATION
! ============================================================================

aaa-server RADIUS-SERVERS protocol radius
aaa-server RADIUS-SERVERS (Inside) host <RADIUS_SERVER_1>
 key <RADIUS_KEY>
 timeout 10
 retry-interval 5
 authentication-port 1812
 accounting-port 1813
aaa-server RADIUS-SERVERS (Inside) host <RADIUS_SERVER_2>
 key <RADIUS_KEY>
 timeout 10
 retry-interval 5
 authentication-port 1812
 accounting-port 1813

aaa authentication ssh console RADIUS-SERVERS LOCAL
aaa authentication enable console RADIUS-SERVERS LOCAL
aaa authentication http console RADIUS-SERVERS LOCAL
aaa accounting command RADIUS-SERVERS
aaa accounting connection RADIUS-SERVERS
aaa authorization command RADIUS-SERVERS LOCAL

! --- Local Fallback User ---
username vpnadmin password <LOCAL_ADMIN_PASS> encrypted privilege 15
username vpnadmin attributes
 service-type admin

! ============================================================================
! SSH HARDENING
! ============================================================================

ssh stricthostkeycheck
ssh version 2
ssh key-exchange group dh-group14-sha256
ssh cipher encryption high
ssh cipher integrity high
ssh <SSH_MGMT_HOST_1> 255.255.255.255 Management
ssh <SSH_MGMT_HOST_2> 255.255.255.255 Management
ssh <MGMT_NETWORK> <MGMT_MASK> Inside
ssh timeout 15
ssh scopy enable
console timeout 5

! --- Disable insecure protocols ---
no telnet
no http server enable
no snmp-server location
no snmp-server contact

! ============================================================================
! LOGGING / SYSLOG
! ============================================================================

logging enable
logging timestamp
logging buffer-size 1048576
logging buffered informational
logging trap informational
logging asdm informational
logging host Inside <SYSLOG_SERVER> tcp/1468
logging device-id hostname
logging permit-hostdown
logging class auth trap informational
logging class config trap informational
logging class vpn trap informational
logging class ha trap informational
logging class ip trap informational
logging message 106023 level 6
logging message 302013 level 6
logging message 302015 level 6
logging message 710003 level 6

! ============================================================================
! SNMPv3 CONFIGURATION
! ============================================================================

snmp-server group VPNMON v3 priv
snmp-server user <SNMP_USER> VPNMON v3 auth sha <SNMP_AUTH_PASS> priv aes 256 <SNMP_PRIV_PASS>
snmp-server host Inside <SNMP_SERVER> version 3 <SNMP_USER>
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
snmp-server enable traps ipsec start stop
snmp-server enable traps entity config-change fru-insert fru-remove
snmp-server enable traps memory-threshold
snmp-server enable traps interface-threshold
snmp-server enable traps connection-limit-reached

! ============================================================================
! THREAT DETECTION
! ============================================================================

threat-detection basic-threat
threat-detection scanning-threat shun except ip-address <INSIDE_NETWORK> <INSIDE_MASK>
threat-detection scanning-threat shun except ip-address <MGMT_NETWORK> <MGMT_MASK>
threat-detection statistics host number-of-rate 3
threat-detection statistics port number-of-rate 3
threat-detection statistics protocol number-of-rate 3
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
threat-detection rate dos-drop rate-interval 600 average-rate 100 burst-rate 400
threat-detection rate bad-packet-drop rate-interval 600 average-rate 100 burst-rate 400
threat-detection rate acl-drop rate-interval 600 average-rate 400 burst-rate 800
threat-detection rate conn-limit-drop rate-interval 600 average-rate 100 burst-rate 400
threat-detection rate icmp-drop rate-interval 600 average-rate 100 burst-rate 400
threat-detection rate scanning-threat rate-interval 600 average-rate 5 burst-rate 10
threat-detection rate syn-attack rate-interval 600 average-rate 100 burst-rate 200

! ============================================================================
! INSPECTION POLICY MAPS
! ============================================================================

policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
  no-client-recursion

policy-map type inspect http HTTP-INSPECT-MAP
 parameters
  protocol-violation action drop-connection log
 match request method connect
  drop-connection log
 match request body length gt 65535
  drop-connection log

policy-map type inspect ftp FTP-INSPECT-MAP
 match filename regex _default_ftp_filename
  reset log

policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp strict FTP-INSPECT-MAP
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
 class class-default
  inspect http HTTP-INSPECT-MAP
  set connection embryonic-conn-max 2000
  set connection conn-max 10000
  set connection per-client-embryonic-max 50
  set connection per-client-max 200
  set connection timeout embryonic 0:00:30
  set connection timeout idle 1:00:00
  set connection timeout half-closed 0:10:00

service-policy global_policy global

! ============================================================================
! SITE-TO-SITE VPN (IKEv2)
! ============================================================================

crypto ikev2 policy 10
 encryption aes-256 aes-192
 integrity sha512 sha384 sha256
 group 21 20 19 14
 prf sha512 sha384 sha256
 lifetime seconds 28800

crypto ikev2 enable Outside

tunnel-group <PEER_VPN_IP> type ipsec-l2l
tunnel-group <PEER_VPN_IP> ipsec-attributes
 ikev2 remote-authentication pre-shared-key <IKEV2_PSK>
 ikev2 local-authentication pre-shared-key <IKEV2_PSK>
 isakmp keepalive threshold 30 retry 5

crypto ipsec ikev2 ipsec-proposal AES256-GCM
 protocol esp encryption aes-256-gcm
 protocol esp integrity null

crypto map VPN-MAP 10 match address S2S-VPN-TRAFFIC
crypto map VPN-MAP 10 set peer <PEER_VPN_IP>
crypto map VPN-MAP 10 set ikev2 ipsec-proposal AES256-GCM
crypto map VPN-MAP 10 set security-association lifetime seconds 3600
crypto map VPN-MAP 10 set security-association lifetime kilobytes unlimited
crypto map VPN-MAP 10 set pfs group21
crypto map VPN-MAP interface Outside

access-list S2S-VPN-TRAFFIC extended permit ip object obj-INSIDE-NETWORK object obj-PEER-NETWORK

! ============================================================================
! ANYCONNECT SSL VPN
! ============================================================================

webvpn
 enable Outside
 anyconnect image disk0:/anyconnect-win-4.10.07073-webdeploy-k9.pkg 1
 anyconnect image disk0:/anyconnect-macos-4.10.07073-webdeploy-k9.pkg 2
 anyconnect enable
 tunnel-group-list enable
 no anyconnect-essentials

ip local pool VPN-POOL <VPN_POOL_START>-<VPN_POOL_END> mask <VPN_POOL_MASK>

group-policy GP-ANYCONNECT internal
group-policy GP-ANYCONNECT attributes
 vpn-tunnel-protocol ssl-client
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value VPN-SPLIT-TUNNEL
 dns-server value <VPN_DNS_1> <VPN_DNS_2>
 default-domain value <VPN_DOMAIN>
 address-pools value VPN-POOL
 anyconnect keep-installer installed
 anyconnect ask none default anyconnect
 anyconnect dpd-interval client 30
 anyconnect dpd-interval gateway 30
 anyconnect ssl dtls enable
 webvpn
  anyconnect profiles value VPN-CLIENT-PROFILE disk0:/vpn-client-profile.xml
  anyconnect ssl compression deflate
  anyconnect mtu 1406

tunnel-group ANYCONNECT-VPN type remote-access
tunnel-group ANYCONNECT-VPN general-attributes
 address-pool VPN-POOL
 authentication-server-group RADIUS-SERVERS
 default-group-policy GP-ANYCONNECT
 accounting-server-group RADIUS-SERVERS
tunnel-group ANYCONNECT-VPN webvpn-attributes
 group-alias "VantagePoint VPN" enable
 group-url https://<OUTSIDE_IP>/vpn enable

! ============================================================================
! FAILOVER (ACTIVE/STANDBY)
! ============================================================================

failover
failover lan unit primary
failover lan interface FAILOVER-LINK GigabitEthernet0/3
failover polltime unit 1 holdtime 15
failover polltime interface 5 holdtime 25
failover key <FAILOVER_KEY>
failover replication http
failover link FAILOVER-LINK GigabitEthernet0/3
failover interface ip FAILOVER-LINK 10.255.255.1 255.255.255.252 standby 10.255.255.2

failover group 1
 primary
 preempt

! --- Standby IP Addresses ---
interface GigabitEthernet0/0
 ip address <OUTSIDE_IP> <OUTSIDE_MASK> standby <STANDBY_IP_OUTSIDE>

interface GigabitEthernet0/1
 ip address <INSIDE_IP> <INSIDE_MASK> standby <STANDBY_IP_INSIDE>

interface GigabitEthernet0/2
 ip address <DMZ_IP> <DMZ_MASK> standby <STANDBY_IP_DMZ>

! ============================================================================
! ROUTING
! ============================================================================

route Outside 0.0.0.0 0.0.0.0 <OUTSIDE_GW> 1

! ============================================================================
! ADDITIONAL HARDENING
! ============================================================================

! --- Disable unnecessary services ---
no service dhcpd
no service dhcpd Management
no asdm history enable
no cdp run

! --- Fragment and connection limits ---
fragment chain 1 Outside
fragment size 1500 Outside
fragment chain 1 DMZ

! --- Timeout hardening ---
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10

! --- ICMP rate limiting ---
icmp unreachable rate-limit 1 burst-size 1

! --- Management session limits ---
console timeout 5
ssh timeout 15

! ============================================================================
! VantagePoint Networks - End of Configuration
! Deployment Checklist:
!   1. Replace ALL <VARIABLE> placeholders
!   2. Upload AnyConnect packages to disk0:
!   3. Upload VPN client profile XML to disk0:
!   4. Install SSL certificate on trustpoint
!   5. Verify failover with standby unit
!   6. Test all ACL rules before going live
!   7. Confirm syslog and SNMP connectivity
!   8. Run 'show running-config' and archive baseline
! ============================================================================